How to authenticate Extended (Outlook) MAPI application with MSAL ?

[nourelain44]

I have an Extended MAPI application running as a Windows Service that connects to O365 mailboxes.
This application uses a pre-configured Outlook profile to log on to a mailbox.

The application runs fine until the tokens acquired by Outlook expire.
Since it runs as a service, there is no human that can run Outlook manually to refresh the tokens.

Now I have to modify this application to either acquire / refresh the Outlook tokens myself or to get / refresh tokens that enable my application to login to the mailbox using the Extended Outlook MAPI libraries.

How would I use MSAL to authenticate my application and refresh the token automatically before it expires?

I see samples on how to use MSAL to authenticate to make Graph calls, but I cannot understand how the acquired tokens would be used by my application / passed-on to the Outlook (Extended MAPI) libraries, as this is not Graph.

Since Outlook itself uses Extended MAPI as well, I wonder how it's done in Outlook?

I am completely new to MSAL and hope anyone can point me into the right direction or describe what needs to be done.

Thanks.

[bgavrilMS]

Well MSAL is a general purpose SDK, it is used to get tokens. It will handle token refreshes for you in a variatey of scenarios.

How does your application get the first set of tokens from Outlook? Can't you ask Outlook for for a new token? That's probably the best path fowrard - don't do AuthN on your side.

Apps that run as Windows services are tricky. They need to run without user intervention, but modern auth always requires user intervention if you need a token for a user (a human). Even if 99% of time you can get tokens silently, there is always a case where user interaction is required - for example when the user changes passowrd, or when the admin forces MFA.

Only service principal authentication is silent. This is more common for service talking to another service. Service Principals are represented by a secret or a certificate with private keys, so they don't work on user devices, only on server backends.

[nourelain44]

Thank you for your reply.

The problem is that my application is not getting tokens from Outlook, so I also don't know how to reference them, know when they expire, or renew them with MSAL. There are no (documented) Outlook MAPI API calls that handle with tokens that Outlook stores.

When using the Outlook MAPI to access mailboxes, the Outlook MAPI libraries handled the refresh of the tokens automatically, up until Version 2403, Build 17425.20146 of Outlook. All later builds of Outlook let the tokens expire and then the MAPI application won't work anymore until you create a new Outlook profile, run Outlook with that profile, and then let the MAPI application use the new Outlook profile.

If you manually open Outlook interactively once a day, Outlook renews the tokens and the MAPI application continues to run. But this is of course not possible for my application that runs as a service.

I had a case open with the Outlook team (#2405281420000873) and they promised to ask the Outlook developer team to get more information on this, but they never got back to me and when I contacted them 3 weeks later like we agreed upon when they temporarily closed the case, all of my emails were ignored.

[nourelain44]

I have also written article

https://learn.microsoft.com/en-us/answers/questions/2142701/how-to-automatically-renew-oauth-token-for-extende

to ask the Outlook development team and to suggest that the workaround described in

https://learn.microsoft.com/en-us/outlook/troubleshoot/authentication/expose-permissions-issue-with-mapi-oauth-tokens?source=docs

does not work, or only works until the tokens expire.

[ashok672]

You will have to follow up with outlook MAPI team. MSAL.NET team can't help here. MSAL.NET PCA is only for scenarios where a human can interact to resolve any interrupts.

[nourelain44]

How can I contact them? They don't reply to the mentioned posts I made.

…

________________________________ From: Ashok Kumar Ramakrishnan ***@***.***> Sent: Friday, February 14, 2025 3:14:07 AM To: AzureAD/microsoft-authentication-library-for-dotnet ***@***.***> Cc: Adrian Drollinger ***@***.***>; Author ***@***.***> Subject: Re: [AzureAD/microsoft-authentication-library-for-dotnet] How to authenticate Extended (Outlook) MAPI application with MSAL ? (Issue #5100) You will have to follow up with outlook MAPI team. MSAL.NET team can't help here. MSAL.NET PCA is only for scenarios where a human can interact to resolve any interrupts. — Reply to this email directly, view it on GitHub<#5100 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BOZA7RYC74LCWV2SHB7DQUT2PVGO7AVCNFSM6AAAAABVXYOMR6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJYGEYDMOBSGU>. You are receiving this because you authored the thread.Message ID: ***@***.***> [ashok672]ashok672 left a comment (AzureAD/microsoft-authentication-library-for-dotnet#5100)<#5100 (comment)> You will have to follow up with outlook MAPI team. MSAL.NET team can't help here. MSAL.NET PCA is only for scenarios where a human can interact to resolve any interrupts. — Reply to this email directly, view it on GitHub<#5100 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BOZA7RYC74LCWV2SHB7DQUT2PVGO7AVCNFSM6AAAAABVXYOMR6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJYGEYDMOBSGU>. You are receiving this because you authored the thread.Message ID: ***@***.***>