question

WeltonCraig-8105 avatar image
0 Votes"
WeltonCraig-8105 asked AmoghShah-5154 published

Batch Java process (daemon) that polls office365 email accounts using OAUTH2 (javamail)

We have an existing standalone java application that periodically connects to and monitors email accounts in outlook365. It is currently using BASIC authentication with IMAP and works great. I have been asked to change to MODERN authentication. With no Azure AD experience I've been researching and trying to understand what the proper flow is from an app with no browser or interactive capability (a service). I created an application in azure and setup the security grants, but I'm not understanding the proper sequence of calls and parameters to get the access token for OAUTH2. Any help would be greatly appreciated.

thanks,
Craig

azure-ad-authenticationazure-ad-authentication-protocols
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·

Hi @WeltonCraig-8105 ,

I am also having the same use case, so how did you solved this.

0 Votes 0 ·
ShwetaMathur avatar image
0 Votes"
ShwetaMathur answered WeltonCraig-8105 commented

Hi @WeltonCraig-8105

For daemon applications, general recommendation is to use OAuth2.0 Client Credentials grant flow which do not require immediate interaction with the user.

Steps to get the access token for OAuth2.0 for daemon applications as:

  1. Register your application in your Azure Active Directory tenant.

  2. In the Certificates & secrets page, in the Client secrets section, choose New client secret and create key and save the value(This key value will not be displayed again).

  3. In API permissions, select the Application permissions from Microsoft Graph and select right permission needed for application.

  4. Configure the project with client Id, Tenant Id and Client Secret in configuration file of project.

  5. Send the post request to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token endpoint with below request to get the access token.
    grant_type = client_credentials
    scope = https://graph.microsoft.com/.default
    client_secret = secretValue(saved earlier)

  6. Now that you've acquired a token, use that access token(refresh token) to make requests to the resource.

Reference doc:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi ShwetaMathur,

I really appreciate your answer. That was the original route I attempted when trying to solve the problem. Unfortunately, the client credentials grant flow is not supported for IMAP. Below is from https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#authenticate-connection-requests

OAuth access to IMAP, POP, SMTP AUTH protocols via OAuth2 client credentials grant flow is not supported. If your application needs persistent access to all mailboxes in a Microsoft 365 organization, we recommend that you use the Microsoft Graph APIs which allow access without a user, enable granular permissions and let administrators scope such access to a specific set of mailboxes.

It's here where I get lost.

thanks
Craig

0 Votes 0 ·
WeltonCraig-8105 avatar image
0 Votes"
WeltonCraig-8105 answered AmoghShah-5154 published

Hi ShwetaMathur,

I really appreciate your answer. That was the original route I attempted when trying to solve the problem. Unfortunately, the client credentials grant flow is not supported for IMAP. Below is from https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#authenticate-connection-requests

OAuth access to IMAP, POP, SMTP AUTH protocols via OAuth2 client credentials grant flow is not supported. If your application needs persistent access to all mailboxes in a Microsoft 365 organization, we recommend that you use the Microsoft Graph APIs which allow access without a user, enable granular permissions and let administrators scope such access to a specific set of mailboxes.

It's here where I get lost.

thanks
Craig

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @WeltonCraig-8105 ,

I am also having the same use case, so how did you solved this.

0 Votes 0 ·