IMAP - Microsoft Exchange Online basic auth deprecation

Question

IMAP - Microsoft Exchange Online basic auth deprecation

Closed this issue a year ago · 7 comments

With the deprecation of basic auth for Exchange Online by Microsoft (https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online) the IMAP option is most likely not going to work anymore.

What would be the best way to still use this with an Exchange Online account?

Answer 1 · 2023-01-13T14:33:21.000Z

You probably got it working already, but I'll post my solution here in case anyone else is looking for one.

In dmarcts-report-parser.pl:

I got the token with curl, so I added WWW::Curl::Easy and Json to use, you can use Net::OAuth2 or whatever else you're comfortable with
Add $imapoauth, $client_id, $client_secret, $grant_type, $scope, $site to the our definition at the beginning.
Just after the # Setup connection to IMAP server. define my $imap, after that add an if ($imapoauth == 1){}, put the original define in an else{} (don't forget to remove my from the original)
In the if you added put: (if you're using something other than curl, change the token getting part)

my $curl = WWW::Curl::Easy->new;
$curl->setopt(CURLOPT_URL, $site);
my $response_body;
$curl->setopt(CURLOPT_WRITEDATA,\$response_body);
$curl->setopt(CURLOPT_POST, 1);
$curl->setopt(CURLOPT_POSTFIELDS, "client_id=$client_id&client_secret=$client_secret&grant_type=$grant_type&scope=$scope");
$curl->perform;
my $token = JSON->new->decode($response_body)->{"access_token"};
my $oauth_sign = encode_base64("user=".$imapuser."\x01auth=Bearer $token\x01\x01", '');
$imap = Mail::IMAPClient->new( Server => $imapserver,
        Port => $imapport,
        Ssl => $imapssl,
        Starttls => $imapopt,
        Debug => $debug,
        Socketargs => $socketargs,
        IgnoreSizeErrors => 1)
or die "IMAP Failure: $@";
$imap->authenticate('XOAUTH2', sub { return $oauth_sign }) or die("Auth error: ". $imap->LastError);

In dmarcts-report-parser.conf add:

$imapoauth = 1;

$client_id='your-client_id';
$client_secret='your-client_secret';

$grant_type='client_credentials';
$scope='https://outlook.office365.com/.default';
$tenant_id='your-tenant_id';
$site="https://login.microsoftonline.com/$tenant_id/oauth2/v2.0/token";

Answer 2 · 2023-02-20T13:18:38.000Z

Will @MatusGoc solution be included in the code base? If you can would greatly help if you do a PR.

Answer 3 · 2023-03-18T17:23:25.000Z

@MatusGoc
Can you post your full dmarcts-report-parser.pl file where you have resolved the imap login issue,

Answer 4 · 2023-03-22T19:15:57.000Z

Didn't want to do a PR because I made those changes on an earlier version of the file and reapplying them to the current version would be a pain, I might do a PR now.

My comments start with '#### ', so look for those or do a diff to see my changes.

dmarcts-report-parser.pl.txt

Answer 5 · 2023-04-01T09:00:58.000Z

@MatusGoc ,

I am getting Auth error: 1 NO AUTHENTICATE failed. error, can you let me know which all permissions required in azure app for it to work?

Answer 6 · 2023-04-01T09:22:01.000Z

I use these:

Also give your application at least read permission for the mailbox:
https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-imap-and-pop-connections

You can test if the APP is configured correctly with this PS script:
https://github.com/DanijelkMSFT/ThisandThat/blob/main/Get-IMAPAccessToken.ps1

Answer 7 · 2023-07-15T05:28:30.000Z

I believe that @MatusGoc solution is what I'd recommend for now. Thanks for your solution!