Aspose.Mail Connect to Azure IMAP OAuth via ROPC in a MFA account

Aspose.Email Product Family
, ,
1

I’m connecting via IMAP protocol to an Azure account, so I must use OAuth2 and I follow the ROPC flow from Access Mail Services using OAuth|Documentation. But now, there are some accounts which are using MFA, and I can’t found the way to break the second factor, since I’ve no user interaction and I don’t want it.

I’ve found the following article: OutlookOffice365 IMAP :how to get access token(API) using username and App password when MFA is enabled? - Microsoft Q&A where explains how to assign permissions to mailboxes to a generic user/service but I don’t like that solution (it requires explicit grant for each created account). Did anyone know any other solution?

In parallel I’m investigating MSAL.net to understand the full authentication flow, and find another way.

2

Hello @mpmsoftware ,

Thank you for reporting your case.

Please read the article in the documentation on the use of the MSAL.NET to gain access via IMAP client using Aspose.Email.

Spare a minute to share your feedback.

3

But the solution provided, requires user interaction in order to set the password and MFA, and I would like to avoid using interaction, because after the IMAP integration, I need to set the modern authentication in SMTP connection, that I use in batch mail sending.

Anyway, using your solution, how it’s recommended to check the validity of the token? Should I get it for each request? Or check manually the expiration? I understand that I can reuse the ImapClient and set the AccessToken.

4

Hello @mtomas ,

We’ve attached a simple project for you to check. ModernAuthenticationImap.zip (3.9 KB)

Please share your feedback.

5

I’ve tried your solution, and it works (like ROPC solution) when the user has not MFA, but it throws the same message (ROPC) when the user has MFA enabled:

… AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access …

I would implement (if it’s possible) a way to bypass MFA without the user interaction (to use in batch mail processes).

6

Hello @mpmsoftware ,

Seems like it wouldn’t work for IMAP with MFA. Would you like to consider the possibility of using EWS client?

Please share your feedback.

7

I think that use EWS it’s not a good idea:

I will try to work in a common solution, but I would investigate graph api.

8

@mpmsoftware,

There doesn’t seem to be a way to bypass MFA without user interaction to access Exchange server via IMAP. You may clarify this with corresponding Microsoft support.

9

Hello @margarita.samodurova

Can I get the above sample, please “modernauthenticationimap.zip”
I have the same issue but I’m not able to download that sample

Thanks

10

Hello @ibrahimahmed1985,

I have provided you with the sample in this post: I can't connect to Microsoft Office 365 mailbox using Aspose.Email

11

Thanks @margarita.samodurova

12

@ibrahimahmed1985 ,

You’re welcome!

13

Hi, I started a thread in Microsoft support, but meanhwile I will solve my problem by the following way (now only in a mockup):

  • In the interface, where the user cofingures the email account, I will remove the password field (I could remove the mail address too, but I’ll leave it for legacy) and I put a button to validate against Azure SSO.
  • The connection against Azure, will use a IConfidentialClientApplication (ConfidentialClientApplicationBuilder).
  • After the validation, it will call to AcquireTokenByAuthorizationCode and through the UserTokenCache, it will serialize the token(cache) against the db (in a file in my mockup).
  • By the other way, in a console program, the app reads the token from the file (stored previously), and uses it to connect to the IMAP (or SMTP) Azure server, using AcquireTokenSilent from MSAL IConfidentialClientApplication.
14

Hi @mpmsoftware ,

Thank you for sharing your solution.