Skip to main content
Connect to IMAP using OAuth 2.0

The Live Connect APIs are deprecated. We recommend that you use the Outlook REST APIs to build your solutions. This will extend your reach to users and Office 365 enterprise customers. Although the Live Connect APIs will be supported in for the short term, existing Live Connect API solutions might stop working without advanced notice. If your app is using IMAP with OAuth 2.0, it will continue to work, but our REST APIs are the primary APIs for building apps that connect to and Office 365. Read the article on how you can take advantage of the Outlook REST APIs.

Authenticate users with IMAP (OIMAP) and OAuth 2.0. IMAP commands

You can use the following IMAP commands. For more information about these commands, see IMAP version 4 revision 1, as defined by RFC 3501.

APPENDAppends the literal argument as a new message to the end of the specified destination mailbox.
AUTHENTICATEIndicates a Simple Authentication and Security Layer (SASL) authentication mechanism to the server.
CAPABILITYRequests a listing of capabilities that the server supports.
CHECKRequests a checkpoint of the currently selected mailbox.
CLOSEPermanently removes all messages that have the \Deleted flag set from the currently selected mailbox, and returns to the authenticated state from the selected state.
COPY/UID COPYCopies the specified message(s) to the end of the specified destination mailbox.
CREATECreates a mailbox with the given name.
DELETEPermanently removes the mailbox with the given name.
EXAMINEIdentical to SELECT and returns the same output; however, the selected mailbox is identified as read-only.
EXPUNGEPermanently removes all messages that have the \Deleted flag set from the currently selected mailbox.
FETCH/UID FETCHRetrieves data associated with a message in the mailbox.
UIDUnique identifier.
LISTReturns a subset of names from the complete set of all names available to the client.
LOGINIdentifies the client to the server and carries the plaintext password authenticating this user.
LOGOUTInforms the server that the client is done with the connection.
LSUBReturns a subset of names from the set of names that the user has declared as being "active" or "subscribed".
NOOPDoes nothing. It always succeeds.
RENAMEChanges the name of a mailbox.
SEARCHSearches the mailbox for messages that match the given searching criteria.
SELECTSelects a mailbox so that messages in the mailbox can be accessed.
STOREAlters data associated with a message in the mailbox.
SUBSCRIBEAdds the specified mailbox name to the server's set of "active" or "subscribed" mailboxes as returned by the LSUB command.
UNSUBSCRIBERemoves the specified mailbox name from the server's set of "active" or "subscribed" mailboxes as returned by the LSUB command.


Note  The IDLE extension is not supported.

Authentication guidelines using OAuth 2.0

When using OAuth 2.0 to authorize users, follow these guidelines. For more info about OAuth 2.0, see The OAuth 2.0 Authorization Protocol and The OAuth 2.0 Authorization Framework.

Dn440163.wedge(en-us,WIN.10).gifTo authenticate users

  1. Your app/server must get the OAuth 2.0 token from a Microsoft Account (MSA), using the standard OAuth 2.0 flow.
    • Don't store user credentials on the client or your servers.
    • Request scopes wl.imap and wl.offline_access. For more info, see Scopes and permissions.
  2. MSA provides an access token and a refresh token to your app/server.
    • The token endpoint on MSA that serves OAuth 2.0 tokens will be
  3. Your app/server passes the access token to our IMAP service in the AUTHENTICATE command. We accept a base64-encoded string that contains:
    • The user name.
    • The authentication type Bearer for direct OAuth 2.0 requests.
    • The access token granted by MSA.
    For example, your app/server would base-64 encode this string:

    user={}^Aauth=Bearer {Access Token}^A^A

    where {} is the user's account, {Access Token} is the access token granted by MSA, and ^A are Ctrl-A characters (U+0001).

    Here is an XOAuth2 authentication example:

    [connection begins]
    S: 000 OK CAPABILITY completed
    S: + 
    C: {base64-encoded string}
    S: 001 OK OAuth authentication successful
    [connection continues]
  4. When the access token expires, your app/server must request a new access token from MSA using the refresh token. Your app/server must use the access token for its full lifetime, before it uses the refresh token to renew the access token.

Accessing IMAP

To access IMAP, use these settings:


Incoming IMAP mail
Incoming IMAP mail server port993
User nameyour Microsoft account
Passwordyour password



Outgoing SMTP mail
Outgoing SMTP mail server port587


Related topics

Scopes and permissions
OAuth 2.0