Exchange 365: IMAP with OAUTH2

Owned by Florian Wolff
Last updated: Juni 02, 2023
4 min read

Requires UM 7.49.0 or newer.

Go to https://portal.azure.com and select Azure Active Directory:

Copy the Tenant ID which will be your tenant_id:

Open App registrations, click New registration and enter a meaningful Name:

Click Register to proceed.

Copy the Application (client) ID which will be your client_id:

 

Open API permissions and click Add a permission:

Go to APIs my organization uses and select Office 365 Exchange Online:

Click Application permissions and check IMAP / IMAP.AccessAsApp:

Click Add permissions to proceed.

Click Grant admin consent for <Your Tenant>:

Open Certificates & secrets and click New client secret:

Enter a Description and chose an appropriate Expires setting. Finish by clicking Add.

Copy the secret’s Value since it will not be displayed again after this step. This will be your client_secret:

Switch over to Enterprise applications:

Select your newly created Application from the list.

Copy the Object ID which will be your enterprise_object_id:

IDs and secrets

By now, you should have collected the following IDs and secrets:

Placeholder

Description / source

Placeholder

Description / source

tenant_id

See above

client_id

See above

client_secret

See above

enterprise_object_id

See above

mailbox_name

The name (= primary email address) of the mailbox in question.

Windows PowerShell

Now, open Windows PowerShell and install the necessary modules:

Install-Module -Name ExchangeOnlineManagement Import-module ExchangeOnlineManagement

Connect to Exchange Online using an adminstrative account:

Connect-ExchangeOnline -Organization <tenant_id>

Create a new Service Principal:

New-ServicePrincipal -AppId <client_id> -ServiceId <enterprise_object_id> -Organization <tenant_id>

Grant Mailbox Permission to the newly created Service Principal:

mailbox_name is the name (= primary email address) of the mailbox you want to read from.

UM configuration

Edit your cmsbs-conf/cmsbs.properties (or cmsbs-conf/conf.d/*.properties) and add the following settings. Remember to substitute all contained placeholders.

(See also https://downloads.universal-messenger.de/knowledge-base/documentation/universal-messenger/html/UM_EN/Developer/Bounce_management_configuration.html)

Please keep mind that the Client secret you created earlier has an expiration date.

Your will have to create a new one and change your UM configuration accordingly at some point in the feature.

Sources and further reading

Problem solving

BAD User is authenticated but not connected

You probably forgot to Add-MailboxPermission for the inbox in question.