Help

Microsoft 365 ROPCG client setup guide

The Resource Owner Password Credentials Grant (ROPCG) is an OAuth flow that allows applications to obtain an access token directly by using the account owner’s username and password. This non-interactive flow is typically used in scenarios where the application is highly trusted, such as in first-party applications or legacy systems. It can also be useful for large-scale semi-transparent migrations to OAuth without disrupting users.

This feature requires a subscription to Auth-Email’s Pro plan.

Getting started

💡   Setting up the Resource Owner Password Credentials Grant is largely the same as setting up the Client Credentials Grant. If you have an existing application registration for the Client Credentials Grant, you can reuse it here. If not, follow our Client Credentials Grant setup guide, making sure to include the optional “Redirect URI” when creating your application registration.

After creating your Entra application, granting permissions, and configuring a Service Principal, use the following settings when linking your application registration to a custom Auth-Email client.

  1. In the “Custom OAuth clients” section of your Auth-Email Acccount settings page, select “Add client”.
  2. Give the client a name (for example, {Your organization name} Resource Owner Password Credentials Grant), and select Microsoft as the service provider.
  3. Select the Resource owner password credentials option in the “OAuth flow / grant“ dropdown box.
  4. Leave the “Token URL“ and “OAuth scope“ fields as their default values.
  5. Enter the “Application (client) ID“ of your Entra application into the Client ID field.
    • 💡  If needed, find this value by visiting the Microsoft Entra admin center, then selecting the “App registrations” section from the left-hand menu. Choose your application from the “All applications” list. The value you need is shown on the “Overview” page.
  6. Copy your application’s secret in the “Client secret” field.
    • 💡  This value was displayed when originally creating a client secret for your Entra application. It is not possible to retrieve the value from an existing secret, so if you do not have a copy saved, you must create a new secret from the “Certificates & secrets” section of your application registration. See the Client Credentials Grant setup guide for further guidance about this step.
  7. Click “Add client” to create the custom OAuth client.

Once your application registration has been linked in this way, you can select your custom client from the list at the bottom of the Auth-Email account authorization page. Because this flow uses the account owner’s credentials directly, there is no need to set a password, and authorization is completed immediately.

Your account is now available to be used over IMAP, POP or SMTP using using its address and account password. See the configuration step of our getting started guide for help setting up your email client if needed.

💡   Make sure you have granted your Entra / Azure application permission to access an account before trying to use it via Auth-Email. You can run the Add-MailboxPermission command shown in our Client Credentials Grant setup guide to add new accounts anytime.

Troubleshooting

Depending on your organization’s Conditional Access security policies, MFA policies, and security defaults, users may need to sign in at least once using an interactive OAuth flow before you can use the Resource Owner Password Credentials Grant.

If this is the case, and it is not possible or desirable to amend your organization’s security policies, create a new custom client from your Auth-Email Acccount settings page, but this time select the Authorization code option in the “OAuth flow / grant“ dropdown box. Leave all of the fields as their default values, then enter your application’s “Client ID” and “Client secret” as before. Finally, for “Redirect URI”, choose the option to use an Auth-Email redirect, then click “Add client”.

Once your custom Authorization Code client is created, select it when authorizing your account with Auth-Email, and complete the authorization process. After this, reset the account’s authorization from the Auth-Email dashboard, and switch the account to use the Resource Owner Password Credentials Grant custom client you created earlier. This original client should now work as expected.