Overview


Microsoft announced that it will no longer be possible to authenticate with User / Password method on Outlook365 IMAP and POP servers. Instead, it will be required to use a "modern" authentication, especially OAuth2. See this Microsoft webpage for more information. 

Our development team is implementing the required changes to support OAuth2 authentication in IMAP & POP Metadata for use with the Readmail Action. This is planned for xDI version 6.0.0 which is planned in January 2023. A backport in xDI version 5.3.x is also planned. A backport in S20 is not excluded. A backport in S19 is not technically possible. 


This article describes the workaround which can be used in S20 and xDI, to authenticate on Outlook365 using Oauth2. 


Overview of the workaround: 

- configuring Azure Portal to declare an Application (xDI) which will be authorized to authenticate with OAuth2 and use IMAP/POP - this will also be necessary in the final solution.  

- creating an Http Security metadata for Oauth2 - this will also be necessary in the final solution. 

- creating a mapping to refresh the Oatuh2 access_token before each Readmail action

- configuring the Email metadata and Readmail action to use this Oauth2 access_token


  

Step 1 - declare an Application in Azure Portal


Connect to the Azure Portal and look for the App Registrations



Click New Registration



Give a name for the Application, for example "Semarchy-xDI" and complete the required information to match your organization policy, then click on Register


Select API Permissions



Choose Add a Permission / Microsoft Graph / Delegated Permissions and add the following list of permissions. 


Mail.Read

Mail.Send

offline_access

openid

SMTP.Send

User.Read




Go to Authentication / Add a Platform and configure URLs with https://localhost, and check both tokens. 



Go to Certificates and Secrets and add a Client Secret. Note the values in a safe place. 




Go to Overview and note the values of "Application (client) ID" and "Directory (tenant) ID"


Step 2 - create the OAuth2 Metadata



Step 3 - configure the mail metadata


on the Incoming Account node (POP3 protocol)


mail.pop3.sasl.mechanisms=XOAUTH2

mail.pop3.auth.xoauth2.disable=false

mail.pop3.auth.login.disable=true

mail.pop3.auth.plain.disable=true

on the Incoming Account node node (IMAP protocol)


mail.imap.sasl.mechanisms=XOAUTH2

mail.imap.auth.xoauth2.disable=false

mail.imap.auth.login.disable=true

mail.imap.auth.plain.disable=true

On the Outgoing Server node (SMTP protocol)


mail.smtp.auth.mechanisms=XOAUTH2

mail.smtp.auth.login.disable=true

mail.smtp.auth.plain.disable=true