How to configure Office365/Outlook Online email servers (IMAP and SMTP) with Oauth 2

Davin2
Tera Contributor

Hello Community,

Has anyone had any success connecting their instance mail account to a Azure cloud hosted Office365 IMAP or SMTP server while using Oauth 2.0 for authentication? I've followed the docs (steps below) and gotten as far as getting an access token returned, but the "Test Connection" still fails authentication. I suspect the problem may be with the Oauth scopes I'm requesting and/or some setup missing on the Office365 side. The problem is the docs aren't very specific to Office365, and I can't find any definitive walk-thrus on the Office365 side in terms of setting up the application there (and not a lot on Communities dealing with Oauth and IMAP/SMTP). Add to that a basic lack of detailed debugging (why was the authentication failed?) and I'm stuck.

Thanks in advance,

Davin

These are the steps taken (referencing https://docs.servicenow.com/bundle/newyork-servicenow-platform/page/administer/notification/task/t_SetUpOAuth2ForEmail.html )

First installed the "Email - OAUTH support for IMAP and SMTP" plugin, then:

1. In the Azure Office 365 side created an application scope for the ServiceNow instance including the redirect URI for the instance. Also obtained the Client ID, Client Secret, authorization URLs needed for next step.
2. In the instance, created an System Oauth > Application Registry entry for the Office 365 instance.
3. Created Oauth Entity Profile and scopes under the Application Registry. I'm using: Mail.ReadWrite, profile, email, Mail.Send, openid, offline_access for scopes
4. Created an entry in System Mailboxes > Email Accounts for IMAP and SMTP services, selecting Oauth 2.0 as auth type and the right application scope
5. Clicked the "Authorize Email Account Access" button. Entered the Office 365 user credentials in the tab that opened and authorized access. When the email account screen refreshes, I noted a message about Oauth Refresh Token expiring soon.
6. Noted that a new record is created in System Oauth > Manage Tokens. So it's clearly communicating!
7. Clicking the Test Connection link results in authentication failed: (Account name: Office 365 IMAP, Type: imap, sys_id: f25687e51be6401409114229bc4bcbb0) Email account connection test completed with result: error, msg: Connection failed: AUTHENTICATE failed. (screenshot).

 

 

1 ACCEPTED SOLUTION

pawel_staszewsk
Giga Guru

Finally resolved.

See KB0820012

 

View solution in original post

19 REPLIES 19

dwhitener
Tera Contributor

I'm trying to figure out a very similar issue with this integration.  By chance did you figure it out on your own?

Davin2
Tera Contributor
No, short answer is that Oauth for IMAP/SMTP and Microsoft O365 isn't supported as of now but will be in the future. See KB article from NOW support below. Appears to be at least in part because Microsoft doesn’t yet support it. As of today, for O365 only basic auth is currently supported.
 
Also, Microsoft has announced that they won’t support basic authentication past October 2020. Clearly that implies they will need to quickly move forward with improving their Oauth support, and on the other side, that NOW will have to come up with concrete configuration instructions to leverage that (clearly we’re not the only ones using O365 with NOW cloud instances).
 
 

Thanks,
Davin

pawel_staszewsk
Giga Guru

@davinlg 

The token you have generated, for what scope it is?

I have similar issue and open ticket with support but it looks like I am not getting token for any other scope than "User.Read". I suppose the scope must point to relevant consent assigned to application and should be related to "Mail" or "IMAP".

MSFT confirmed this on stackoverflow almost a year ago

https://stackoverflow.com/questions/29747477/imap-auth-in-office-365-using-oauth2

Unfortunately the instructions were archived.

I also found this thread on stack:

https://stackoverflow.com/questions/58914816/oauth2-imap-how-to-request-consent-for-imap-accessasuse...

which is probably resolution, but I can't confirm now it works on my end.

Hello Pawel, the scopes we have tried are:

email

Mail.ReadWrite

Mail.Send

offline_access

openid

profile

 

However, bear in mind we've abandoned our effort until Microsoft and/or SNow improves support around this. These scopes don't necessarily work and probably include more than is needed. In the second link you shared, it seems Microsoft are saying they are working on Oauth support for Office 365, but I presume it's not there yet.

Thanks,
Davin