We are using Java Mail API to read an unattended mailbox from the office365. I have been told the default access will be no longer available and we have to use oauth2 API's from Microsoft. We only want to access couple of unattended mailbox from our cloud domain. How do we register the app (permissions) and if there is a Java sample code available for the same?
If your using Java Mail this this would be using IMAP for connectivity, the client credentials flow https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth which is what you would typically use for unattended access isn't currently supported (It will probably be supported at some point the future).
So you have a couple of options the first would be switch to using the Graph API https://github.com/microsoftgraph/msgraph-sdk-java which does support using the client credentials flow, its a bit more work but should offer generally a better and more secure solution going forward. The other solution would be look at using the ROPC oAuth flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc which essential means you have a set of credentials, obtain an Accesstoken for those credentials and apart form https://javaee.github.io/javamail/OAuth2 that should be all you need to do. Some of down sides of using the ROPC flow is you can't have MFA enabled on the account being used and you also can't have any conditional access polices.
For IMAP the only permission you need is https://outlook.office.com/IMAP.AccessAsUser.All (you'll find the permission themselves under the Graph API) and the registration needs to be done in the Azure Portal https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app to allow the ROPC flow you need to set the application registration to allow public flows
Hi Glen,
We are using a Federated AD (our organization AD is synching with Azure AD). Can we still use ROPC? We want to give access to app only to specific accounts and not all the users. What permissions should we select while registering the application? Also, do we need secretes to setup for the app? Problem is documentation on MS is all over the place and hard to understand any step by step method.
Mahendra
It will still work in a federated environment if you have active authentication enabled (most federation servers offer active auth some really secure environment may limit it access but not usually), if you use the Microsoft Auth library https://github.com/AzureAD/microsoft-authentication-library-for-java it will detect that the account is federated and then make the necessary request to the active endpoint and then it will do the exchange of the SAML assertion to Office365 Access Token for you.
Hi @MahendraBaghel-4666 ,
Does GlenScales-6756's answer help you? I am checking to see how things are going there on this issue.
Hi RaytheonXie,
A step further but not all the way. I will put the code when I am done.
Thanks,
Mahendra
Hi Glen,
I followed the instructions. I am stuck in two places. I can get an authentication token with "user.read" scope without the secrete. When I add the scope IMAP.AccessAsUser.All. It throws "error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '<xxxxxxxxx>'". Do I have to send the app secrete?
Thanks,
Mahendra
The permission IMAP.AccessAsUser.All requires that an Admin consent to that in your Application registration (user.read doesn't require that level of consent) https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent , this only needs to be done once but won't work without it.
14 people are following this question.
