Overview

Akeeba Ticket System needs to retrieve your emails from the mail server and process them for the Reply by Email and New Ticket by Email features to work. The standard way to do that is connecting to your mail server with either the IMAP or the POP3 protocol using a username and a password for authenticating (logging into) the server. For most mail server the username is your email address and the password is, well, the password you use to login to your email account.

Starting in the mid-2010's, Google introduced Multi-factor Authentication (MFA) for its cloud-hosted email accounts (collectively called “Microsoft Exchange” in this documentation). Due to the higher security standard inherent to MFA it was no longer possible to use your password for IMAP / POP3 authentication. They introduced application-specific passwords.

Starting in October 2022, Microsoft completely discontinues standard IMAP and POP3 password authentication, either with a regular password (for non-MFA accounts) or an application-specific password (for MFA accounts). Instead, they have migrated to an authentication method called XOAUTH2.

Instead of entering your email address and your password / application-specific password you need to instead login to your Microsoft account associated with your Microsoft 365 mail account in your browser. Microsoft will send back to your site two long pieces of text called tokens.

The Access Token is what is used for authenticating to IMAP / POP3. It is also set to expire frequently, approximately once every hour. The second token is called the Refresh Token and can be used to request a new Access Token when the current Access Token has expired.

What this oversimplified overview doesn't address is that tokens are not issued for your Microsoft user account in general. In other words, they are not like app-specific passwords which were valid for any and all applications accessing your email. They are issued for your Microsoft user account to an OAuth2 API application registered with Microsoft – and only this application can ever use these tokens. This is meant to be a double assurance measure. On one hand, the user can revoke the API application's access to their Microsoft account whenever they see fit, without having to change their Microsoft account password and disturb every other connected application. On the other hand, Microsoft has a tight control over who can ask Microsoft users for access to their email account.