Connect to Outlook.com IMAP using OAuth 2.0
The Live Connect APIs are deprecated. We recommend that you use the Outlook REST APIs to build your solutions. This will extend your reach to Outlook.com users and Office 365 enterprise customers. Although the Live Connect APIs will be supported in Outlook.com for the short term, existing Live Connect API solutions might stop working without advanced notice. If your app is using IMAP with OAuth 2.0, it will continue to work, but our REST APIs are the primary APIs for building apps that connect to Outlook.com and Office 365. Read the article on how you can take advantage of the Outlook REST APIs.
Authenticate users with Outlook.com IMAP (OIMAP) and OAuth 2.0.
Outlook.com IMAP commands
You can use the following IMAP commands. For more information about these commands, see IMAP version 4 revision 1, as defined by RFC 3501.
| Command | Description |
| APPEND | Appends the literal argument as a new message to the end of the specified destination mailbox. |
| AUTHENTICATE | Indicates a Simple Authentication and Security Layer (SASL) authentication mechanism to the server. |
| CAPABILITY | Requests a listing of capabilities that the server supports. |
| CHECK | Requests a checkpoint of the currently selected mailbox. |
| CLOSE | Permanently removes all messages that have the \Deleted flag set from the currently selected mailbox, and returns to the authenticated state from the selected state. |
| COPY/UID COPY | Copies the specified message(s) to the end of the specified destination mailbox. |
| CREATE | Creates a mailbox with the given name. |
| DELETE | Permanently removes the mailbox with the given name. |
| EXAMINE | Identical to SELECT and returns the same output; however, the selected mailbox is identified as read-only. |
| EXPUNGE | Permanently removes all messages that have the \Deleted flag set from the currently selected mailbox. |
| FETCH/UID FETCH | Retrieves data associated with a message in the mailbox. |
| UID | Unique identifier. |
| LIST | Returns a subset of names from the complete set of all names available to the client. |
| LOGIN | Identifies the client to the server and carries the plaintext password authenticating this user. |
| LOGOUT | Informs the server that the client is done with the connection. |
| LSUB | Returns a subset of names from the set of names that the user has declared as being "active" or "subscribed". |
| NOOP | Does nothing. It always succeeds. |
| RENAME | Changes the name of a mailbox. |
| SEARCH | Searches the mailbox for messages that match the given searching criteria. |
| SELECT | Selects a mailbox so that messages in the mailbox can be accessed. |
| STORE | Alters data associated with a message in the mailbox. |
| SUBSCRIBE | Adds the specified mailbox name to the server's set of "active" or "subscribed" mailboxes as returned by the LSUB command. |
| UNSUBSCRIBE | Removes the specified mailbox name from the server's set of "active" or "subscribed" mailboxes as returned by the LSUB command. |
Authentication guidelines using OAuth 2.0
When using OAuth 2.0 to authorize users, follow these guidelines. For more info about OAuth 2.0, see The OAuth 2.0 Authorization Protocol and The OAuth 2.0 Authorization Framework.
To authenticate users
- Your app/server must get the OAuth 2.0 token from a Microsoft Account (MSA), using the standard OAuth 2.0 flow.
- Don't store user credentials on the client or your servers.
- Request scopes wl.imap and wl.offline_access. For more info, see Scopes and permissions.
- MSA provides an access token and a refresh token to your app/server.
- The token endpoint on MSA that serves OAuth 2.0 tokens will be https://login.live.com/oauth20_token.srf.
- Your app/server passes the access token to our IMAP service in the AUTHENTICATE command.
We accept a base64-encoded string that contains:
- The user name.
- The authentication type Bearer for direct OAuth 2.0 requests.
- The access token granted by MSA.
user={user@domain.com}^Aauth=Bearer {Access Token}^A^A
where {user@domain.com} is the user's account, {Access Token} is the access token granted by MSA, and ^A are Ctrl-A characters (U+0001).
Here is an XOAuth2 authentication example:
[connection begins] C: 000 CAPABILITY S: * CAPABILITY IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 S: 000 OK CAPABILITY completed C: 001 AUTHENTICATE XOAUTH2 S: + C: {base64-encoded string} S: * CAPABILITY IMAP4rev1 S: 001 OK OAuth authentication successful [connection continues] - When the access token expires, your app/server must request a new access token from MSA using the refresh token. Your app/server must use the access token for its full lifetime, before it uses the refresh token to renew the access token.
Accessing IMAP
To access IMAP, use these settings:
IMAP
| Setting | Value |
| Incoming IMAP mail server | imap-mail.outlook.com |
| Incoming IMAP mail server port | 993 |
| Encryption | SSL |
| User name | your Microsoft account |
| Password | your password |
SMTP
| Setting | Value |
| Outgoing SMTP mail server | smtp-mail.outlook.com |
| Outgoing SMTP mail server port | 587 |
| Encryption | TLS |
Related topics