Exchange 365: IMAP with OAUTH2
Requires UM 7.49.0 or newer.
Go to and select Azure Active Directory:
Copy the Tenant ID which will be your tenant_id
Open App registrations, click New registration and enter a meaningful Name:
Click Register to proceed.
Copy the Application (client) ID which will be your client_id
Open API permissions and click Add a permission:
Go to APIs my organization uses and select Office 365 Exchange Online:
Click Application permissions and check IMAP / IMAP.AccessAsApp:
Click Add permissions to proceed.
Click Grant admin consent for <Your Tenant>:
Open Certificates & secrets and click New client secret:
Enter a Description and chose an appropriate Expires setting. Finish by clicking Add.
Copy the secret’s Value since it will not be displayed again after this step. This will be your client_secret
Switch over to Enterprise applications:
Select your newly created Application from the list.
Copy the Object ID which will be your enterprise_object_id
IDs and secrets
By now, you should have collected the following IDs and secrets:
Placeholder | Description / source |
| See above |
| See above |
| See above |
| See above |
| The name (= primary email address) of the mailbox in question. |
Windows PowerShell
Now, open Windows PowerShell and install the necessary modules:
Install-Module -Name ExchangeOnlineManagement
Import-module ExchangeOnlineManagement
Connect to Exchange Online using an adminstrative account:
Connect-ExchangeOnline -Organization <tenant_id>
Create a new Service Principal:
New-ServicePrincipal -AppId <client_id> -ServiceId <enterprise_object_id> -Organization <tenant_id>
Grant Mailbox Permission to the newly created Service Principal:
Add-MailboxPermission -Identity <mailbox_name> -User <enterprise_object_id> -AccessRights FullAccess
is the name (= primary email address) of the mailbox you want to read from.
UM configuration
Edit your cmsbs-conf/
(or cmsbs-conf/conf.d/*.properties
) and add the following settings. Remember to substitute all contained placeholders.
cmsbs.startbounce = true
cmsbs.mail.imap.server =
cmsbs.mail.imap.port = 993
cmsbs.mail.imap.ssl = true
cmsbs.mail.imap.user = <mailbox_name>
cmsbs.mail.imap.authenticationMethod = oauth2
cmsbs.mail.imap.oauth2.accessTokenUri =<tenant_id>/oauth2/v2.0/token
cmsbs.mail.imap.oauth2.clientId = <client_id>
cmsbs.mail.imap.oauth2.clientSecret = <client_secret>
cmsbs.mail.imap.oauth2.scope =
cmsbs.mail.imap.oauth2.grantType = client_credentials
cmsbs.mail.imap.oauth2.debug = true
Please keep in mind that the Client secret you created earlier has an expiration date.
Your will have to create a new one and change your UM configuration accordingly at some point in the feature.
Sources and further reading
Problem solving
BAD User is authenticated but not connected
2022-09-06 08:59:22,274 [InboxListener(default)[,ssl,oauth2]] ERROR pinuts.Syslog: Could not connect to imap server!
javax.mail.MessagingException: A3 BAD User is authenticated but not connected.
You probably forgot to Add-MailboxPermission for the inbox in question.