Authenticate Office 365 IMAP Account using Unattended C# Console

Question

I am developing a .NET Core Console Application (C#) that needs to authenticate to an Office 365 IMAP account. The purpose is to retrieve mail and process CSV file attachments unattended.

The app has been registered on Azure as a Mobile/Desktop app with the RedirectUri set as http://localhost.

The following code causes a new tab to open in Chrome web browser and asks for the Outlook account to use for login. I need to stop the browser from opening and handle authentication completely from code.

Current Code:

using var client = new ImapClient(new ProtocolLogger("imap.log"));

var options = new PublicClientApplicationOptions
{
    ClientId = _options.ClientId,
    TenantId = _options.TenantId,
    RedirectUri = "http://localhost"
};

var publicClientApplication = PublicClientApplicationBuilder
    .CreateWithApplicationOptions(options)
    .Build();

var scopes = new[]
{
    "email",
    "offline_access",
    "https://outlook.office.com/IMAP.AccessAsUser.All" // Only needed for IMAP
    //"https://outlook.office.com/POP.AccessAsUser.All",  // Only needed for POP
    //"https://outlook.office.com/SMTP.AccessAsUser.All", // Only needed for SMTP
};

var cancellationToken = new CancellationToken();

var authToken = await publicClientApplication
    .AcquireTokenInteractive(scopes)
    .ExecuteAsync(cancellationToken);
            
await publicClientApplication
    .AcquireTokenSilent(scopes, authToken.Account)
    .ExecuteAsync(cancellationToken);

    SaslMechanism oauth2;
    if (client.AuthenticationMechanisms.Contains("OAUTHBEARER"))
    {
        oauth2 = new SaslMechanismOAuthBearer(authToken.Account.Username, authToken.AccessToken);
    } 
    else
    {
        oauth2 = new SaslMechanismOAuth2(authToken.Account.Username, authToken.AccessToken);
    }

    await client.AuthenticateAsync(oauth2);
    await client.DisconnectAsync (true);

This line triggers a browser window to open https://login.microsoftonline.com/:

var authToken = await publicClientApplication
    .AcquireTokenInteractive(scopes)
    .ExecuteAsync(cancellationToken);

This console application will be run unattended. How do I obtain the token and authenticate without a web browser opening up?

Answer 1

This code worked for me using MSAL after registering the app in azure and getting a client secret.

    var options = new ConfidentialClientApplicationOptions
        {
            ClientId = "<ClientID or Application ID>",
            TenantId = "<Azure TenantId>",
            RedirectUri = "http://localhost"
        };
    
        string clientSecret = "<Client Secret Goes here>";
    
        var confidentialClientApplication = ConfidentialClientApplicationBuilder
            .CreateWithApplicationOptions(options)
            .WithClientSecret(clientSecret)
            .Build();
    
        var scopes = new string[] {
        "https://outlook.office365.com/.default"
    
        };
    
        var authToken = await confidentialClientApplication.AcquireTokenForClient(scopes).ExecuteAsync();

Answer 2

This is an answear to your latest comment, as it's my final recommendation. So, first of all, you should decide if you want to acess the data on behalf of user, or as an app granted permissions by admin.

First step is to register your app.

Second step is getting the acess token. This is going to differ based on the method you chose. Tutorial for each: acting on behalf of the user or acting without the user, but granted permission from admin.

Once you have the acess token, you can call the Microsoft Graph API. The important thing is, you always have to call Microsoft Graph API. There is no other official way (as far as I know) of comunicating with Microsoft's services. You can try the requests with the Microsoft Graph Explorer, however it's VERY limited with it's defaul urls/parameters, so I suggest taking a look at the docs.

From what you've described, you first want to obtain UserID. The way of doing this is going to vary based on what type of auth you chose.

• If you chose to act on behalf of user, you should be able to get that (ID) using this endpoint: https://graph.microsoft.com/v1.0/me/
• If you chose to act as an app with admin consent, you should be able to search for user using the https://graph.microsoft.com/v1.0/me/people/?$search= with search query parameters. Here are the docs for this endpoint

Now, the only thing left, is to supply that ID to one of the Outlook api methods. You can find docs for them here. Specifically, it seems like you want to list all messages and then read a specific message.

Also, keep an eye on what methods you use with which type of auth. On behalf of user, you usually want url's that contain /me, on behalf of app with given admin privelages, you usually want some endpoint that enables you to pass user id.

Hope I helped!

PS: There is no code in this response, because there is a lot of stuff that just cannot be coded without your decisions, actions on Azure and so on. I suggest you read a little bit about auth and graph api using microsoft docs I linked earlier.