How to Configure Office 365 / Outlook OAuth 2.0 with Unattended (App-Only) Access for FolderMill Email Automation

This is a step-by-step guide to setting up Office 365 OAuth 2.0 authentication for FolderMill Email Settings. Learn how to register an Azure app, configure permissions, and grant FolderMill app-only access to your mailbox without usernames or passwords.

Step 1: Register the Application in Microsoft Azure

  1. Log in to the Azure Portal.
  2. In the left-hand menu or in the search bar, select App registrations.
Open App registrations on Azure portal
  1. Click the + New registration button at the top.

Enter a new name for FolderMill access that you'll easily distinguish. For example, FolderMill-Unattended-Access.

  • Supported account types: Select "Accounts in this organizational directory only (Single tenant)".
  • Redirect URI: Leave this blank (it is not needed for unattended app-only flow).
  • Click Register.
Start New registration

To complete the registration, click Register

Select "Accounts in this organizational directory only (Single tenant)"

Step 2: Gather Required IDs

You need to gather four values now for configuration of FolderMill access.

  1. Application (Client) ID (This is your Client ID). <YOUR_CLIENT_ID>
  2. Directory (Tenant) ID (This is your Tenant ID). <YOUR_TENANT_ID>
  3. Client Secret ID Value
  4. Enterprise Application Object ID <YOUR_ENT_APP_OBJECT_ID>

Copy Client and Tenant ID

Once registered, you will be taken to the Overview page of your new app. Copy the Client ID and Tenant ID from here and save them somewhere. 

Client ID and Tenant ID in Microsoft Azure

Create a Client Secret ID

This serves as the "password" for your application.

  1. In the left menu, click Certificates & secrets.
  2. Click + New client secret.
  3. Description: Enter FolderMillSecret.
  4. Expires: Choose a duration (e.g., 24 months).
  5. Click Add.
Adding Client Secret Value in Microsoft Azure

A Client Secret Value will appear in the list. Copy this Value to clipboard immediately and save it somewhere.

This is your Client Secret. You may never be able to see it again after you leave this page. Do NOT copy the "Secret ID", copy the "Value".

Copy Client Secret Value in Microsoft Azure

Get the Enterprise Application Object ID 

To register the Service Principal (see Step 4), you will also need an Object ID (Enterprise Application Object ID (<YOUR_ENT_APP_OBJECT_ID>). 

To get it, follow these steps:

  1. On your registered application page, navigate to the Overview tab and click the FolderMill-Unattended-Access link (under Managed application in local directory). 
Open Managed application in local directory in Microsoft Azure

On this page, copy the Object ID value and save it somewhere:

Copy the Object ID value and save it somewhere

The Object ID on the Overview tab is NOT the one we're looking for.

This is different from the Object ID in App Registrations on the main App registration Overview. You must use the Enterprise App Object ID instead.

Step 3: Configure API Permissions

Configuring API permissions defines what the application is allowed to do.

  1. In the left menu, click API permissions.
  2. Click + Add a permission.
Add API permission in Microsoft Azure 
  1. Switch to the tab APIs my organization uses. Search for and select Office 365 Exchange Online.
Search for and select Office 365 Exchange Online
  1. Select Application permissions (NOT Delegated permissions).
Select Application permissions (NOT Delegated permissions)
  1. Expand the lists and check the following:
    • IMAPIMAP.AccessAsApp
    • POPPOP.AccessAsApp (Only if you plan to use POP3)
Check IMAP.AccessAsApp and POP.AccessAsApp 
    Check SMTP.SendAsApp  
    1. Click Add permissions.

    Next, grant Admin Consent for Office 365 Exchange Online:

    You will see a warning stating "Not granted for [Your Organization]".

    • Click the button Grant admin consent for [Your Organization].
    • Click Yes to confirm.
    • The status column should now show a green checkmark saying "Granted for..."
    Grant Admin Consent for IMAP, POP3, SMTP

    Optionally, you can remove the delegated Microsoft Graph's User.Read permission which is not needed for app-only application — click the context menu on the right side of the permission and select Remove permission.

    Step 4: Register Service Principal in Exchange (PowerShell)

    Unlike other Microsoft APIs, simply granting permission in the portal is not enough for IMAP/POP3. You must manually register the Service Principal in Exchange Online.

    1. Run PowerShell on your computer as Administrator. Install the Exchange Online module (if not already installed):

    Install-Module -Name ExchangeOnlineManagement

    Manually register the Service Principal in PowerShell
    1. Connect to your Exchange Online tenant:

    Import-Module ExchangeOnlineManagement

    Connect-ExchangeOnline -Organization <YOUR_TENANT_ID>

    1. Replace <YOUR_TENANT_ID> with the Tenant ID you saved in Step 2. Log in with your Admin credentials when prompted.
    Run commands in PowerShell
    1. Register the Service Principal. Run this command:

    New-ServicePrincipal -AppId <YOUR_CLIENT_ID> -ServiceId <YOUR_ENT_APP_OBJECT_ID> -DisplayName "FolderMill Service Principal"

    Register the Service Principal

    Quick reminder

    To find the Application (Client) ID:
    Copy the Client ID from the Overview page of your newly registered app. See Step 2
    To find the Enterprise Application Object ID:
    Go back to your App in Azure Portal → Overview → Managed application in local directory → copy the Enterprise Application Object ID.

    1. Grant Access to the specific mailbox. This allows the app to access the specific email account you want FolderMill to use.

    Add-MailboxPermission -Identity "email@yourdomain.com" -User <YOUR_ENT_APP_OBJECT_ID> -AccessRights FullAccess

    (Replace email@yourdomain.com with the actual email address FolderMill will check).

    Grant Access to the specific mailbox

    Step 5: Configure FolderMill

    Now you have all the data required for the Oath 2.0 authentication in order to use FolderMill's Send to Email Action or set up Email as Source.

    1. Open FolderMill Control Panel.
    2. Navigate to the Hot Folder Settings → Source: Email → Configure… or Send to Email Action, depending on where you are configuring the email connection.
    3. Select Authentication Method: Choose OAuth 2.0 (OAuth20). Enter values for Client ID, Client Secret Value, and Tenant ID using the data gathered.
    FolderMill fieldValue to enterSource
    Client IDApplication (Client) ID
     <YOUR_CLIENT_ID>    		From App Registration Overview
    Tenant IDDirectory (Tenant) ID
    <YOUR_TENANT_ID>    		From App Registration Overview
    Client SecretClient Secret ValueFrom Certificates & Secrets → Value

    4. Test the connection. It should now connect successfully without asking for login credentials.

    Enter OAuth 2.0 values (Client ID, Client Secret Value, and Tenant ID) and test the connection

    Note: OAuth 2.0 authentication does not require entering a username or password.
    For Email as Source, use: 

    For Send to Email Action, use:

    You may also like to read:

    How to Print or Convert Emails with FolderMill (Using Email as Source)