As you are probably aware Microsoft has been removing basic authentication capabilities in Office 365 services, which includes connectivity using ‘legacy’ protocols like IMAP, POP or SMTP.
While this removal is for the greater of good – basic authentication is not a secure way to authenticate as it can be easily hack and does not support multi-factor authentication (MFA), which is helping securing identity – this also has a downside.
Indeed, companies may still rely on these legacy protocols which support only basic authentication due to legacy applications or multi-function printers.
Well, the good news as you can now use OAuth authentication (to know more about OAuth you can read this article; OAuth implementation on Microsoft services relies on the use of the Microsoft Authentication Libraries (MSAL) where you can learn about here) – a more modern authentication method which also supports MFA – when connecting with any of these legacy protocols – IMAP, POP or SMTP – to Exchange Online.
To do so you will need to register an Azure AD application which then will get an access token and then authenticate the connection request using this token.
Here are the steps to implement OAuth authentication for the legacy protocols.
First logon to your Azure AD portal () to access the Azure Active Directory\App Registrations blade or even better start using the new Entra portal) (to access the Azure Active Directory\Applications\App registrations blade.
To do so you need to have either Global administrator, Application administrator, Application developer or Cloud application administrator administration role.
When registering the Azure AD application you just need to ensure you choose an understandable name and the supported account types set to Accounts in this organisational directory only.
Then you will need to grant the appropriate Microsoft Graph\Delegated Permissions permissions (IMAP.AccessAsUser.All, SMTP.Send, or POP.AccessAsUser.All) using the API permissions blade; select the API permissions based on the protocol(s) you are planning to use based on the protocol(s) you are planning to use.
Once you have added the required permissions you have to grant them using the Grant admin consent for
Now your Azure AD application is created with the permissions to connect to Exchange Online using the configured legacy protocols.
You will now need to grant tenant admin consent to this application using the below URL; you need to replace the
Depending on your redirect URL you may have an HTTP error; this is not important as this is just because your browser is not able to resolve the redirect URL. It is all fine.
Now as the last steps you need to register your Azure AD Application service principals in Exchange Online and grant access to the Exchange Online mailbox to this service principal.
To do you will need to have either Exchange Online administrator or Global administrator administration role and use the Exchange Online PowerShell module V2 (available here).
The <APPLICATION_ID> and <OBJECT_ID> are the corresponding values for your Azure AD application while the <ORGANIZATION_ID> is the Directory ID.
NOTE the New-ServicePrincipal and/or the Get-ServicePrincipal cmdlets are currently being deployed and may not be available yet in your tenant
Connect-ExchangeOnline
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]
Get-ServicePrincipal -Organization <ORGANIZATION_ID>
Add-MailboxPermission –Identity