Start using OAuth for Office 365 POP/IMAP authentication

Microsoft has disabled Basic authentication for most Exchange Online protocols. Microsoft has documented the requirements and configuration steps to use OAuth with POP/IMAP in Microsoft 365 in this article: Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Docs. You’ll see details about the registration of the required Azure AD applications and the permissions required for the access token to give Exchange Online the authorization of the mailbox access request.

OAuth 2.0 Authentication

Microsoft 365 (formerly Office 365) supports two kinds of OAuth 2.0 authentication:

  • Delegated authentication is suitable for desktop, mobile or web applications with signed-in user present.
    This mode is described in detail in another article.
  • App-only authentication is suitable for services or daemons with no user present. Instead, these unattended applications authenticate using client secrets (application credentials) to receive an access token, which is then used to gain access to a mailbox using IMAP, POP3 or EWS protocols.
Configuring Microsoft 365
Register your application

In Azure Portal ⇒ expand the left menu ⇒ select Azure Active Directory ⇒ select App registrations ⇒ click + New registration. (Azure Portal is constantly evolving, so if you cannot find this page, use the search bar.)

Name your application, choose which kind of accounts are going to use it, and click Register.

Once you successfully register your application you can view its associated IDs. Some of them will be needed later to obtain an OAuth 2.0 token.

Set up client secret (application password)

In the left menu, select Certificates & secrets ⇒ click + New client secret.

Provide some description for this secret, choose expiration period, and click Add.

Immediately copy and save the newly created client secret’s Value (not Secret ID). You will not be able to view the Value later anymore.

Add app permissions

In the left menu, select API permissions ⇒ click + Add a permission.

Navigate to APIs my organization uses tab ⇒ type Office 365 Exchange in the search bar ⇒ click Office 365 Exchange Online entry.

Click Application permissions ⇒ type AccessAsApp ⇒ check IMAP.AccessAsApp and/or POP.AccessAsApp ⇒ click Add permissions.

The newly-added IMAP.AccessAsApp and POP.AccessAsApp permissions have to be approved by your organization’s administrator. Ask them to grant consent to your application by clicking Grant admin consent for [organization].

Add mailbox access permissions

Before you proceed, make sure you have AzureAD and ExchangeOnlineManagement PowerShell modules installed. If not then run the commands below to install them.


Install-Module -Name AzureAD
Install-Module -Name ExchangeOnlineManagement


Next we need to fetch the principal ID for the application we just created using the Azure Portal. Fill in the App ID and Tenant Id and run the following:


Import-module AzureAD
Connect-AzureAd -Tenant $TenantId
($Principal = Get-AzureADServicePrincipal -filter "AppId eq '$AppId'")
$PrincipalId = $Principal.ObjectId


Now we need to register the service principal for your application


$DisplayName = "Service Principal for IMAP/POP3"
Import-module ExchangeOnlineManagement
Connect-ExchangeOnline -Organization $TenantId
New-ServicePrincipal -AppId $AppId -ServiceId $PrincipalId -DisplayName $DisplayName


Add FullAccess mailbox permissions to all mailboxes you want to access from your application using:


Add-MailboxPermission -User $PrincipalId -AccessRights FullAccess -Identity ""
Add-MailboxPermission -User $PrincipalId -AccessRights FullAccess -Identity ""
Add-MailboxPermission -User $PrincipalId -AccessRights FullAccess -Identity ""


At this point you have registered an application for accessing Office 365 mailboxes via IMAP or POP3 protocol and received its Application (client) ID, Client secret and Directory (tenant) ID.

These strings are going to be used by your application to authenticate to Microsoft 365 via OAuth 2.0 and receive an OAuth token. This token is then used to authenticate to Exchange Online using IMAP or POP3 protocols.