Follow these detailed step-by-step instructions to implement OAuth 2.0 authentication if your in-house application needs to access IMAP and SMTP AUTH protocols in Exchange Online, or work with your vendor to update any apps or clients that you use that could be impacted. I think support for OAuth2 is hard-coded in Thunderbird for each known supported OAuth2-provider. Every OAuth2 provider has its own clientSecret, which aren't really secret, because you can find them in the source. I don't know why they are hard-coded and not in the mail provider. On this screen, change 'Authentication' for both IMAP and SMTP to 'OAuth2', then click 'Done'. After clicking 'Done' you will be presented with a normal Office 365 login prompt. Login as normal. After you complete the login, it should return you to Thunderbird and you should be all set up. In the Outgoing Server (SMTP) settings, select Offic365 (Microsoft) – smtp.office365.com, click Edit and set authentication for outbound SMTP to OAuth2 as well. Note: The Thunderbird build running on Ubuntu doesn’t provide the OAuth2 authentication option for SMTP. When finished, click ‘Get Messages’. Currently today, Thunderbird only support OAuth2 authorization for IMAP and SMTP for gmail and mail.ru. I'd like to add OAuth2 support for AOL mail accounts.

1. Gmail Oauth2
2. Thunderbird Oauth2 Not Working
3. Thunderbird Oauth2 365

Learn how to use OAuth authentication to connect with IMAP, POP or SMTP protocols and access email data for Office 365 users.

OAuth2 support for IMAP, POP, SMTP protocols as described below is supported for both Microsoft 365 (which includes Office on the web) and Outlook.com users.

If you're not familiar with the OAuth 2.0 protocol, start by reading the OAuth 2.0 protocol on Microsoft identity platform overview. To learn more about the Microsoft Authentication Libariers (MSAL), which implement the OAuth 2.0 protocol to authenticate users and access secure APIs, read the MSAL overview.

You can use the OAuth authentication service provided by Azure Active Directory to enable your application to connect with IMAP, POP or SMTP protocols to access Exchange Online in Office 365. To use OAuth with your application you need to:

1. Register your application with Azure Active Directory.
2. Configure your application in Azure Active Directory.
3. Get an access token from a token server.
4. Authenticate connection requests with an access token.

Register your application

To use OAuth, an application must be registered with Azure Active Directory.

Follow the instructions listed in Register an application with the Microsoft identity platform to create a new application.

Configure your application

Follow the instructions listed in Configure a client application to access web APIs

Make sure to add one or more of the following permission scopes that correspond to the protocols you would like to integrate with. In the Add a permission wizard, select Microsoft Graph and then Delegated permissions to find the following permission scopes listed.

Get an access token

You can use one of our MSAL client libraries to fetch an access token from your client application.

Alternatively, you can select an appropriate flow from the following list and follow the corresponding steps to call the underlying identity platform REST APIs and retrieve an access token.

Gmail Oauth2

OAuth access to IMAP, POP, SMTP AUTH protocols via OAuth2 client credentials grant flow is not supported. If your application needs persistent access to all mailboxes in a Microsoft 365 organization, we recommend that you use the Microsoft Graph APIs which allow access without a user, enable granular permissions and let administrators scope such access to a specific set of mailboxes.

Make sure to specify the full scopes, including Outlook resource URLs, when authorizing your application and requesting an access token.

In addition, you can request for offline_access scope. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.

Authenticate connection requests

You can initiate a connection to Office 365 mail servers using the IMAP and POP email settings for Office 365.

SASL XOAUTH2

OAuth integration with requires your application to use SASL XOAUTH2 format for encoding and transmitting the access token. SASL XOAUTH2 encodes the username, access token together in the following format:

^A represents a Control + A (%x01).

For example, the SASL XOAUTH2 format to access test@contoso.onmicrosoft.com with access token EwBAAl3BAAUFFpUAo7J3Ve0bjLBWZWCclRC3EoAA is:

After base64 encoding, this translates to the following string. Note that line breaks are inserted for readability.

SASL XOAUTH2 authentication for shared mailboxes in Office 365

In case of shared mailbox access using OAuth, application needs to obtain the access token on behalf of a user but replace the userName field in the SASL XOAUTH2 encoded string with the email address of the shared mailbox.

IMAP Protocol Exchange

To authenticate a IMAP server connection, the client will have to respond with an AUTHENTICATE command in the following format:

Sample client-server message exchange that results in an authentication success:

Sample client-server message exchange that results in an authentication failure:

Thunderbird Oauth2 Not Working

POP Protocol Exchange

To authenticate a POP server connection, the client will have to respond with an AUTH command split into two lines in the following format:

Sample client-server message exchange that results in an authentication success:

Sample client-server message exchange that results in an authentication failure:

SMTP Protocol Exchange

To authenticate a SMTP server connection, the client will have to respond with an AUTH command in the following format:

Sample client-server message exchange that results in an authentication success:

Sample client-server message exchange that results in an authentication failure:

See also

This document describes how to configure your UWM Office 365 email account in Thunderbird using OAuth2 (Modern Authentication).

Note: These instructions assume you are running a version of which supports OAuth2 modern authentication.

Configure Thunderbird for Office 365

1. Launch Thunderbird to bring up the main Thunderbird interface. If you have other accounts configured, you can navigate here by clicking on Local Folders on the lefthand side. Select Email under the Setup Another Account section in the main window.
2. On the Mail Account Setup window, enter information into the available fields as follows:
   • Your name: Your name as you'd like it to appear
   • Email Address: Enter ePantherID@uwm.edu

     Important: do not enter in your password on this login screen. Only enter your email address and name.

3. Click Continue
4. Thunderbird should automatically discover and fill in the server settings necessary for your account:
• Protocol
• Incoming
• Outgoing
• Username


5. Click Done to confirm the creation of your account.
   Note: Now if you try to navigate to the Mailbox that was just added, you will be prompted to enter in your password. If this happens, hit cancel.
6. Navigate to Account Settings > Server Settings > Security Settings > Authentication Method and select OAuth2 from the Authentication Method dropdown.

   
   

7. Navigate to Outgoing Server on the left-hand panel of the account settings screen.
8. Select the Office365 (Microsoft) smtp server and click edit on the righthand side
9. Change the Authentication method to OAuth2 to the following and then click OK:
   • Description: Office365 (Microsoft)
   • Server Name: smtp.office365.com
   • Port: 587 (default)
   • Connection Security: STARTTLS
   • Authentication Method: OAuth2
   • User Name: pounce@uwm.edu
   
   

   
   

10. Now, when you attempt to view your inbox, instead of being prompted for your password by Thunderbird, you will be redirected to authenticate through Duo (faculty/staff) or Microsoft MFA (students).
11. After authenticating in step 10, the setup is complete. Email data will take some time to sync. BE PATIENT.

Important: Please complete these steps before using your Thunderbird client.

• Reconfigure folder mapping:

  Clients configured using Microsoft Exchange protocol use different folders for some of the primary mail folders. For consistency, we highly recommend that you configure Thunderbird to use these same folders. This will make it less confusing if you also use the web client for Office 365 or a different desktop client that is using the Exchange protocol.

  1. Right-click on your Office 365 account and select 'Subscribe...' from the drop-down menu.

     
     

  2. Place a check-mark within the box next to each of these folders: 'Drafts | Deleted Items | Sent Items'.
  3. Click Subscribe button.

     
     

  4. Click OK button.
  5. Right-click on your Office 365 account and select 'Settings...' from the drop-down menu.

     
     

  6. Under your Office 365 account, select 'Server Settings'.
  7. Within 'Server Settings | When I delete a message' section, select 'Move it to this folder:' and use the text box next to this setting to select the 'Deleted Items' folder.

     
     

  8. Under your Office 365 account, select 'Copies & Folders'.
  9. Within 'When sending messages, automatically | Place a copy in:' section, select 'Other' and use the text box next to this setting to select the 'Sent Items' folder within your Office 365 account.
  10. Make sure 'Drafts' folder is selected within your Office 365 account under 'Drafts and Templates'.
  11. Click the OK button.
  12. Restart Thunderbird


• Disable the adaptive junk mail controls:

  Office 365 server side junk/spam filtering is already enabled for all Office 365 accounts.

  1. Right click on the email address you just configured in the left-hand pane.
  2. Click on Settings.
  3. Click Junk Settings from the left-hand option pane.

  
  

  4. Uncheck the box for Enable adaptive junk mail controls for this account.

  
  

  5. Click the OK button.

Remember: Thunderbird cannot access the Office 365 Global Address List (GAL). Therefore, you may still need to access the Campus Directory (Whitepages) to find the person you are searching for.

See Also:

Thunderbird Oauth2 365