Batch Java process (daemon) that polls office365 email accounts using OAUTH2 (javamail)

Welton, Craig 1 Reputation point
2021-09-27T12:45:30.123+00:00

We have an existing standalone java application that periodically connects to and monitors email accounts in outlook365. It is currently using BASIC authentication with IMAP and works great. I have been asked to change to MODERN authentication. With no Azure AD experience I've been researching and trying to understand what the proper flow is from an app with no browser or interactive capability (a service). I created an application in azure and setup the security grants, but I'm not understanding the proper sequence of calls and parameters to get the access token for OAUTH2. Any help would be greatly appreciated.

thanks,
Craig

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,641 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 27,936 Reputation points Microsoft Employee
    2021-09-28T17:42:28.703+00:00

    Hi @Welton, Craig

    For daemon applications, general recommendation is to use OAuth2.0 Client Credentials grant flow which do not require immediate interaction with the user.

    Steps to get the access token for OAuth2.0 for daemon applications as:

    1. Register your application in your Azure Active Directory tenant.
    2. In the Certificates & secrets page, in the Client secrets section, choose New client secret and create key and save the value(This key value will not be displayed again).
    3. In API permissions, select the Application permissions from Microsoft Graph and select right permission needed for application.
    4. Configure the project with client Id, Tenant Id and Client Secret in configuration file of project.
    5. Send the post request to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token endpoint with below request to get the access token.
      grant_type = client_credentials
      scope = https://graph.microsoft.com/.default
      client_secret = secretValue(saved earlier)
    6. Now that you've acquired a token, use that access token(refresh token) to make requests to the resource.

    Reference doc:
    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

  2. Welton, Craig 1 Reputation point
    2021-09-28T18:04:51.113+00:00

    Hi ShwetaMathur,

    I really appreciate your answer. That was the original route I attempted when trying to solve the problem. Unfortunately, the client credentials grant flow is not supported for IMAP. Below is from https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#authenticate-connection-requests

    OAuth access to IMAP, POP, SMTP AUTH protocols via OAuth2 client credentials grant flow is not supported. If your application needs persistent access to all mailboxes in a Microsoft 365 organization, we recommend that you use the Microsoft Graph APIs which allow access without a user, enable granular permissions and let administrators scope such access to a specific set of mailboxes.

    It's here where I get lost.

    thanks
    Craig

  3. Nicolas Forney 1 Reputation point
    2022-07-20T13:17:53.477+00:00

    IMAP and POP auth protocol with OAuth2 is now supported for client credentials flow.

    See this release note: rhttps://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-2-0-client-credentials-flow-support-for-pop-and/ba-p/3562963

    0 comments