How to connect to Office 365 with IMAP, Oauth2 and Client Credential Grant Flow

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in the previous video i've shown how to use code flow authentication in our 2 to allow your asp.net application to ask for delegate permission by a user that connects to your application click a link gets redirected to your app authorize the app and then your app can access the email of the user into an office 365 account through emap and mimekit with no problem now to complete the example i need to show you how to use a client credential flow and basically this scenario should be simpler because the client credential flow is really simpler in out 2 because it does not it does not use any user intervention it's just a single post request to the token endpoint and just get an endpoint back but it is really tricky to have it work due to some problem with api and some problem with powershell so i'm gonna show you how you can obtain and complete this scenario as usual microsoft link shows you almost everything you need to do but it has a very very few details so he left a lot of detail outside of the article so you can feel a little bit lost so let's start from your azure portal i am in the app registration and i click the new registration and i say account in the organizational directory only i call demo video to give a name to the application and then i register now i copy the client id and i'm putting inside my application and i've actually used this application demo before so i'm just going to change the client id then you need to copy the tenant id in the authority part and then i need to generate the client secret because this client secret belongs to a previous application so i'm going to certificate and secret new client secret i call it test giving any name you want six months of duration i have the secret you need to copy right now because if you navigate away from this page you don't have any other way to obtain i'm going to copy all the secret inside my application and i'm almost done because i need now to give permission to this application and i need to give a different permission than the previous example i'm now in the api permission section you see in the left and now i have the only user read it's the default permission and then i need to add a permission but this time i have a different path than the previous example instead of using microsoft graph i select api my organization uses and i'm searching for office 365 exchange online because i need to give permission of this application the o3 then i need to select application permission and not a delegated permission because i'm not using the client i'm not using the code flow where a user authenticate and delegate your application to access an email address i need the application to log in so i click the application permission in the right and i search for imap and i have imap access as app and i need to select and now there is a nice difference than the previous example because you see that you have no granted permission for this application yet so this happens because this permission is it is really special permission because this application is claiming that i want to access other email email of other users so that's a special permission and you need to have as explicit content consent by an administrator since i'm already an administrator of this account i can simply click this link grant admin consent for injury maria it's my name i can give the account the grant and then it's green and it's ready to go and if you're not an admin you need to ask an admin of your tenant to click this button for you and if you want to give access to another tenant so this application is in tenant a and you want to access email on tenant b there is a example in the link i gave you this is the microsoft guide you need to give to the administrator of the other tenant link that you can compose using all the parameter that you know the other administrator need only to click this navigate to this link click and authorize the application but in this example there's no problem because the application is created in the same tenant of my exchange where the email resides so i have no problem the application is complete i don't need to do anything else on the application side now begins the tricky part because if you follow the article by microsoft you now look at the piece of powershell you need to use new service principle but there's a lot of thing you need to know before you are able to use this command so first of all i've uh i i've given you all the details so first of all you need to have these three uh modules installed so install module exchange lane management exchange online management with the allow for release then you need to install azure id as usual because you need to access your azure id account and i've saw some articles that tools you need to have installed also the microsoft graph and i'm not sure if this is needed by i already had installed for a previous example so it is not a bad idea to install also this module when you have all these three module installed you can open a powershell console you open the powershell console i'm gonna make everything a little bit more readable and then you start importing those two models so i'm importing the azure id preview and sorry it's not correct i need to import module exchange online management and here we go now you can try to use new service principal and usually you are greeted with this problem the commentlet is not found in that's where i lost almost a couple of hour maybe three hours trying to understand where this common land is and let's see all the examples so i can explain you how you can use this so first of all the first thing you need to do is connecting to your azure id so you connect azure id and if you connect on to azure id with this simple example your prompt for a user but if you like me have a lot of a lot of accounts you need to specify which tenant you want to connect so it is good to use connect azure id and tenant and you can use the tenant of your application the tenant can be found in various part of your portal but if you are in the in your application is the directory tenant id so there's no problem and now that you have connect azure id and your tenant you can go and connect you will be prompted for a username i can take the username from my password manager and i can now take my password from my password manager and i'm signed in now i can use a simple get azure ad service principal search string and my app name so this instruction where you need to simply change the search string using your application it's needed to verify that you are connected to the your application to your correct tenant and you are able to look and to view and to interact with your application that is now called demo video so i searched demo video and okay it's okay i have all the thing i need so actually what i need to do is create finally this new service principle but before you are able to use the new service principle because if you remember if i now type new service principle it tells me that the command light is not there you need to connect to the exchange online and the syntax is very similar to connect azure id only that the tenant option is now called organization so i'm connecting to that organization now i i've already logged the same user so i can reuse the same user and as you can see when you connect to exchange there's a little bit of timing so it's not instant because it is now downloading other command lists so now you can new service principal and now you have the comments so the game is once you connect with the connect exchange online instruction from the exchange online management module in prerelease if your tenant is enabled you have this commandlet enabled if you still get the error that the commandlet is not defined it's because your tenant is still not enabled and that's where i lost a lot of time because i didn't get it right i needed to try all of my tenants and i have this enabled only to one of my tenants and this is a test tenant so if you don't have this enabled probably you need to wait a little bit more for your tenant to be enabled once the commandlet is loaded correctly and you can use you can proceed to the example so to avoid using and messing with the various id you need you can reuse the same instruction as before with the get azure service principle but you can add a variable and you can load the your application and put it in a variable so this will make everything simpler because now in my app i have all the information of my application so i can create the new service principle using simply this predefined string where you are taking the right id so you are not you don't need to look for this parameter in the ui you have this instruction and it's okay once everything is okay you've actually created a user in your exchange online application that is the corresponds to the application you created so the game here is every application in azure as an identity and as a principal a principal is like a user that can access some resources it it is part of the role basic access control airbac where you can give permission to a user or you can give permission to an application because the application and the user have a corresponding principle and it's the principle that asked the authorization but now you've created an application in azure but this application in azure has no corresponding principle in the exchange app so this instruction new service principle that belongs to the exchange command let's allow you to connect your application id and create a corresponding principle in your exchange account that corresponds to desk application now you can add mailbox permission because hey until now we didn't do anything to give permission to this application onto an email so if you try to connect with out2 to this application you can obtain a token but this token has no right to access any user email because this application has no permission it's not possible to just create an application and have it read all the email of all the user of your tenant so you need to use this other command let add mailbox permission and i specified the identity and as the user i used the myapp object id and i gave him full access this instruction it's used to practically test exchange server a i've created a principle that it's related to an azure application app now give to this app full access to this folder to this email folder at campfire at blah blah blah blah if everything goes right okay you have this return access right full access and this gives access to an email you can give access to um how might how many email you want to that application so to remind the whole process is you've created the application you've created icos while the secret you give the special access is up i'm a permission you give granted permission as an administrator to the ad app and then you use powershell to create a corresponding principle in the exchange so you can give this application access to one or more email now all you need to do is use a code client credentials flowing out to take a valid token and i show you how easy it is you have the very same application you saw in the previous video web app test after you set the the same three parameters the tenant id the client id and the client secret you can start the application and now when you start the application you have presented with you are presented with a swogger page you can use the office 365 get mail client flow it's a new example i press try it out right and i can specify an email address so i need to specify an email address that my application has access to such this one remember i've already granted permission to this email previously if not the application has no right to access this mailbox now i press execute and i'm going in the code and the code is really really really simpler than the previous example because everything you need to do is create a post request to the token endpoint passing only four parameters grant type is it must be equal to client credential this tells the oauth server that you are not creating uh code authentication so you are not using a user delegation you simply specify a scope a client secret and the id of the client and the server immediately returns the client direct post and direct client return so i go and create this the request url is uh it's grabbed with a call to a well-known endpoint but it's a standard uh it it's standard it's just view v2.0.token slash token append to the authority and it's very simple and after i've created the request i need to that the first the first three key the only tricky part of this part is the scope because i found article in the internet that get this wrong so you need as always to use the article that microsoft it's uh it's pub had published a few days ago because this article is the real is a real real article and you must use this scope so if you use a different scope i've and i found articles in the internet that contains the wrong scope yeah you are pretty much uh in dead water because you cannot access the imap so that's the real good the only scope you need to ask and here you are that's the scope and now i simply create an http client i ask a token on the server and the server response with a simple json with the token and expire time and as you can see we have a difference than the previous example because i don't have a refresh token so there's no refresh token and and this is because this is not a delegated access so i i use a code that asks a token given only the client id and the password is the secret so the server answer with the token that is valid for one hour and a half and when the token is expired you just need to do the same request again so there's no concept of refresh token the token will expire and you can request how many token you want because you have no need for user interaction so this is a server to server communication so this server is capable of creating a post request to obtain the token no user interaction is involved so you can do how many time you want until this secret is available and now i'm trying to verify if everything is okay if mimekit library is able to access the imap folder as usual this is the moment of this is the truth moment when i try to authenticate a sync with the token and let's see okay everything is okay now i create my row out to token because i want to show you taking this token and i i want to remember you that this is the no so out to token where i compose the user email with the original token as in the previous example as is described perfectly in the microsoft document in the section in which you in which microsoft explain how to create a sas slot token to have everything okay to verify this i can go to a linux machine i use openssl to directly connect to outlook.office365.com9 and report the openssl takes part of all the tls connections so all the encryption and i i'm now connected to an exchange imap for server so i can issue command like capability and it's the first comment uh it it responds me and it say that it has the so out to it's still um support the plane took the plane out because the plane out will be deprecated in october and it's still valid but i have the so out show so it's okay i can issue the second command then the command is authenticate in so how to and then i simply pass my token and i press enter and okay authenticate completed and that is really simple and verified that everything is okay now this scenario if you if you take away all the powershell part that is really tricky because of a lack of information in microsoft article because i think that it would be useful to have all this step detailed as i did you in this video but once you get it right the oauth part is really really really really simple because you just need to create a post request with four parameters it it it is really simple to do this even in powershell so you can do this in any language you want and it does not require client flow client interaction so is it is just server code that ask for a token and use the token to access the imap library just take care of the token expiration date because after one hour one hour and a half the token can expire so you need to issue another post request to access a new token and that's complete the example i hope that this example is useful to you
Info
Channel: CodeWrecks
Views: 71,207
Rating: undefined out of 5
Keywords: oauth2, imap, office365
Id: bMYA-146dmM
Channel Id: undefined
Length: 20min 21sec (1221 seconds)
Published: Sat Aug 06 2022
Related Videos
Email OAuth 2.0 Proxy - Transparent OAuth 2.0 for Basic Auth IMAP to Exchange
Jonathan MacDonald
5.2K
Detailed Video - Microsoft Azure REST API Tutorial | Postman | Oauth2.0 Authorization Code Flow
Concepts Work
17K
Connecting to Microsoft Graph API with Python msal library.
Python Bites
11K
OAuth 2.0 explained with examples
ByteMonk
105K
Office 365 - MailKit - OAuth2 + SMTP/IMAP Authentication
CodeWrecks
30K
Galaxy Z Fold 6 Hands-On FIRST Look! Did Samsung Do Enough?
TechTablets
1.3K
Office 365 IMAP OAuth With C#
Blue Hippo
20K
Okta Authorization Servers for OpenID Connect and OAuth 2.0 Integrations
OktaDev
18K
Calling MS365 or Exchange from Python - Exchange lib. And Big Screen Integrations - API Mashup!
InvalidEntry
4.7K
Authelia on Proxmox - 2FA SSO with Nextcloud, Proxmox, Portainer Gitea OpenID Connect Single Sign On
OneMarcFifty
21K
SMTP Modern oauth Authentication with POSTMAN
Graph Explorer
8.1K
I bought a Yubikey now what: Pin and touch explained.
CodeWrecks
536
Oauth 2.0 Authorization Code Flow | Microsoft Graph
Concepts Work
58K
Getting Started with Microsoft Graph and PowerShell
Travis Roberts
19K
Using the Microsoft Graph API in Python | Authentication
Sigma Coding
36K
How To - Connect Microsoft 365 to ServiceNow SAM for Compliance and Optimization
ServiceNow Community
6.7K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.