Does Rebex support Office 365 mailbox using IMAP with an OAuth 2.0 token?

0 votes
asked May 25, 2020 by vanchuri (140 points)


I see that Microsoft has rolled out OAuth 2.0 support for IMAP and SMTP recently.

What I understood from above link is that, "we need to use Graph API" for non-interactive applications using client credentials flow.

I have enabled the following permissions in my app Graph API permission settings
IMAP.AccessAsUser.All -> Delegated -> Granted admin consent
Mail.Read -> Delegated -> Granted admin consent
Mail.Read -> Application -> Granted admin consent

I gave my client ID, client secret and tenant ID details in my IMAP sample app code. Created confidential client app object.
Defined the scope to be ""

I have passed the access token to my IMAP object without any modification. It says "Server reported error: AUTHENTICATE failed (NO)." when I try to login.

Did I miss something here? Or Rebex doesn't support it yet?
Can someone guide me a way forward from here?

Vijay Anchuri

Applies to: Rebex Secure Mail

1 Answer

0 votes
answered May 25, 2020 by Pavel Matyska (13,940 points)
edited Mar 24 by Lukas Pokorny

Update: This has been resolved in Rebex Secure Mail 2020 R3.

Update: We published a blog post that describes how to login with OAuth 2.0 to Office365 with Rebex Secure Mail, and another one that describes how to register application for with appropriate permissions in Azure.


It seems your scope when obtaining your access token is wrong. According to Microsoft's How to enable OAuth for IMAP protocol on Office 365 you should use this string as a scope from your application: Also note that you should use your access token in a SASL XOAUTH2 string and encode it with Base64 as described on the same page in Authenticate connection requests paragraph. Use this Base64 string in our Imap.Login method.
You can find a sample code for this conversion on our blog How to authenticate to Gmail with Rebex Secure Mail using OAuth 2.0, paragraph 4 and 5. The mechanism is the same, obtaining your access token is different.

commented May 25, 2020 by vanchuri (140 points)
Thanks for the immediate response. But, when I set the scope to the above string that you've mentioned, It's throwing MsalServiceException with
Errorcode: Invalid_scope
Error description: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope is not valid.

Even I tried setting the scope to "". It throws me the same exception again!!!
commented May 25, 2020 by Pavel Matyska (13,940 points)
The string is from Microsoft own page. But please make sure it is URL encoded. When I tried it and make mistake to send it to the azure endpoint "as is", I got the same error. But when I send it in this form: I was able to obtain a token. Although it won't let me authorize to the Imap portion of the  servers. I'll keep investigating what is going on. But I tried it some time ago with same effect. I obtained a token but with no luck to authenticate then as now. Unfortunately Microsoft documentation is not helpful much.
commented Jun 2, 2020 by vanchuri (140 points)
Is there any update on this yet?
commented Jun 3, 2020 by Pavel Matyska (13,940 points)
This StackOverflow question is the only one that has somewhat happy ending as authenticating with OAuth to Microsoft Office 365 using IMAP protocol:
I was not fortunate still but my app registration can be misconfigured from many different attempts to make it work. I'll try to register it as clean as possible again and hopefully it will authenticate me.
commented Jun 3, 2020 by Pavel Matyska (13,940 points)

it turned out that office 365 imap server has same bug as former servers. We added a workaround for it back then and when we enable the workaround for office 365 server we were able to authenticate as well. I'll prepare a hotfix and give a link to it here.
Original forum post about the workaround can be found here: