Office 365 email setup for Thunderbird (Pop/IMAP – Modern Authentication)

T

Thunderbird is a free email application that’s easy to set up and customize – and it’s loaded with great features. Thunderbird will need to be updated to version 77.0.b1 or higher in order to work with Office 365. You can download the latest version of Thunderbird here.

Pre-requisites

You need to ensure that you have already configured app registration in Azure Active Directory and granted users access to use the application. If not please follow steps in our earlier blog here.

Setting up Thunderbird
  • Launch Thunderbird. Select +New, Existing Email Account from the ‘hamburger’ menu.
  • Enter your name and e-mail address. You can leave the password empty. Press Continue to have Thunderbird figure out where your mailbox is hosted. This should discover your account in Office 365.
    The settings you see should be:
Username: username@domain.com
Password: Office 365 password
Protocol: IMAP
Incoming (IMAP): outlook.office365.com SSL
Outgoing (SMTP): smtp.office365.com STARTTLS
TB1
  • Click Done to confirm the creation of your account. If you are prompted for your password, hit Cancel.
  • Navigate to Account Settings -> Server Settings.
  • Under Authentication method, select OAuth2.
  • Navigate to Account Settings -> Outgoing Server.
  • Under Authentication method, select OAuth2.
  • Close the Account Settings. Select your Inbox, and you should be prompted with the Office 365 login page.
Manual Server Information
Username: username@domain.com
Password: Office 365 password

Incoming: IMAP
Server: outlook.office365.com
Port: 993
SSL Enabled: Yes
Authentication: OAuth2

Outgoing: SMTP
Server: smtp.office365.com
Port: 587
SSL Enabled: STARTTLS
Authentication: OAuth2
TB2

Start using OAuth for Office 365 POP/IMAP authentication

Microsoft has disabled Basic authentication for most Exchange Online protocols. Microsoft has documented the requirements and configuration steps to use OAuth with POP/IMAP in Microsoft 365 in this article: Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Docs. You’ll see details about the registration of the required Azure AD applications and the permissions required for the access token to give Exchange Online the authorization of the mailbox access request.

OAuth 2.0 Authentication

Microsoft 365 (formerly Office 365) supports two kinds of OAuth 2.0 authentication:

  • Delegated authentication is suitable for desktop, mobile or web applications with signed-in user present.
    This mode is described in detail in another article.
  • App-only authentication is suitable for services or daemons with no user present. Instead, these unattended applications authenticate using client secrets (application credentials) to receive an access token, which is then used to gain access to a mailbox using IMAP, POP3 or EWS protocols.
SETUP OAUTH
Configuring Microsoft 365
Register your application

In Azure Portal ⇒ expand the left menu ⇒ select Azure Active Directory ⇒ select App registrations ⇒ click + New registration. (Azure Portal is constantly evolving, so if you cannot find this page, use the search bar.)

Name your application, choose which kind of accounts are going to use it, and click Register.

Once you successfully register your application you can view its associated IDs. Some of them will be needed later to obtain an OAuth 2.0 token.

Set up client secret (application password)

In the left menu, select Certificates & secrets ⇒ click + New client secret.

Provide some description for this secret, choose expiration period, and click Add.

Immediately copy and save the newly created client secret’s Value (not Secret ID). You will not be able to view the Value later anymore.

Add app permissions

In the left menu, select API permissions ⇒ click + Add a permission.

Navigate to APIs my organization uses tab ⇒ type Office 365 Exchange in the search bar ⇒ click Office 365 Exchange Online entry.

Click Application permissions ⇒ type AccessAsApp ⇒ check IMAP.AccessAsApp and/or POP.AccessAsApp ⇒ click Add permissions.

The newly-added IMAP.AccessAsApp and POP.AccessAsApp permissions have to be approved by your organization’s administrator. Ask them to grant consent to your application by clicking Grant admin consent for [organization].

Add mailbox access permissions

Before you proceed, make sure you have AzureAD and ExchangeOnlineManagement PowerShell modules installed. If not then run the commands below to install them.

 

Install-Module -Name AzureAD
Install-Module -Name ExchangeOnlineManagement

 

Next we need to fetch the principal ID for the application we just created using the Azure Portal. Fill in the App ID and Tenant Id and run the following:

 

$AppId = "YOUR_APP_ID_HERE"
$TenantId = "YOUR_TENANT_ID_HERE"
Import-module AzureAD
Connect-AzureAd -Tenant $TenantId
($Principal = Get-AzureADServicePrincipal -filter "AppId eq '$AppId'")
$PrincipalId = $Principal.ObjectId

 

Now we need to register the service principal for your application

 

$DisplayName = "Service Principal for IMAP/POP3"
Import-module ExchangeOnlineManagement
Connect-ExchangeOnline -Organization $TenantId
New-ServicePrincipal -AppId $AppId -ServiceId $PrincipalId -DisplayName $DisplayName

 

Add FullAccess mailbox permissions to all mailboxes you want to access from your application using:

 

Add-MailboxPermission -User $PrincipalId -AccessRights FullAccess -Identity "mailbox.1@domain.org"
Add-MailboxPermission -User $PrincipalId -AccessRights FullAccess -Identity "mailbox.2@domain.org"
Add-MailboxPermission -User $PrincipalId -AccessRights FullAccess -Identity "mailbox.3@domain.org"

 

At this point you have registered an application for accessing Office 365 mailboxes via IMAP or POP3 protocol and received its Application (client) ID, Client secret and Directory (tenant) ID.

These strings are going to be used by your application to authenticate to Microsoft 365 via OAuth 2.0 and receive an OAuth token. This token is then used to authenticate to Exchange Online using IMAP or POP3 protocols.