Requires UM 7.49.0 or newer.
Go to https://portal.azure.com and select Azure Active Directory:
Copy the Tenant ID which will be your tenant_id:
Open App registrations, click New registration and enter a meaningful Name:
Click Register to proceed.
Copy the Application (client) ID which will be your client_id:
Open API permissions and click Add a permission:
Go to APIs my organization uses and select Office 365 Exchange Online:
Click Application permissions and check IMAP / IMAP.AccessAsApp:
Click Add permissions to proceed.
Click Grant admin consent for <Your Tenant>:
Open Certificates & secrets and click New client secret:
Enter a Description and chose an appropriate Expires setting. Finish by clicking Add.
Copy the secret’s Value since it will not be displayed again after this step. This will be your client_secret:
Switch over to Enterprise applications:
Select your newly created Application from the list.
Copy the Object ID which will be your enterprise_object_id:
IDs and secrets
By now, you should have collected the following IDs and secrets:
Placeholder | Description / source |
|---|---|
| See above |
| See above |
| See above |
| See above |
| The name (= primary email address) of the mailbox in question. |
Windows PowerShell
Now, open Windows PowerShell and install the necessary modules:
Install-Module -Name ExchangeOnlineManagement Import-module ExchangeOnlineManagement
Connect to Exchange Online using an adminstrative account:
Connect-ExchangeOnline -Organization <tenant_id>
Create a new Service Principal:
New-ServicePrincipal -AppId <client_id> -ServiceId <enterprise_object_id> -Organization <tenant_id>
Grant Mailbox Permission to the newly created Service Principal:
Add-MailboxPermission -Identity <mailbox_name> -User <enterprise_object_id> -AccessRights FullAccess
mailbox_name is the name (= primary email address) of the mailbox you want to read from.
UM configuration
Edit your cmsbs-conf/cmsbs.properties (or cmsbs-conf/conf.d/*.properties) and add the following settings. Remember to substitute all contained placeholders.
cmsbs.mail.imap.server = outlook.office365.com cmsbs.mail.imap.port = 993 cmsbs.mail.imap.ssl = true cmsbs.mail.imap.user = <mailbox_name> cmsbs.mail.imap.authenticationMethod = oauth2 cmsbs.mail.imap.oauth2.accessTokenUri = https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token cmsbs.mail.imap.oauth2.clientId = <client_id> cmsbs.mail.imap.oauth2.clientSecret = <client_secret> cmsbs.mail.imap.oauth2.scope = https://outlook.office.com/.default cmsbs.mail.imap.oauth2.grantType = client_credentials cmsbs.mail.imap.oauth2.debug = true
Please keep mind that the Client secret you created earlier has an expiration date.
Your will have to create a new one and change your UM configuration accordingly at some point in the feature.
Sources and further reading
Problem solving
BAD User is authenticated but not connected
2022-09-06 08:59:22,274 [InboxListener(default)[imap:xxx@yyy.onmicrosoft.com@outlook.office365.com:993,ssl,oauth2]] ERROR pinuts.Syslog: Could not connect to imap server! javax.mail.MessagingException: A3 BAD User is authenticated but not connected.
You probably forgot to Add-MailboxPermission for the inbox in question.