Share via

IMAPS fails with A3 BAD User is authenticated but not connected

Camille Blondiaux 0 Reputation points
2026-03-23T07:43:40.66+00:00

I historically retrieve attachement from mail in a Microsoft mailbox using IMAPS protocol with XOAUTH2 authentication in a small Java main (using MSAL4J and jakarta.mail).

It worked until now, but the latest created mailbox extraction is failing:

  • get auth token at login.microsoftonline for outlook.office365.com/.default works
  • get email session works
  • connect and getFolder("INBOX") works too
  • open folder stage fails with this error A3 BAD:
// ...
var properties = new Properties();
properties.setProperty("mail.imaps.ssl.enable", "true");
properties.setProperty("mail.imaps.sasl.enable", "true");
properties.setProperty("mail.imaps.sasl.mechanisms", "XOAUTH2");
properties.setProperty("mail.imaps.auth.mechanisms", "XOAUTH2");
properties.setProperty("mail.imaps.auth.plain.disable", "true");
properties.setProperty("mail.imaps.auth.login.disable", "true");

// ...

emailFolder.open(Folder.READ_WRITE);

// Fails

Exception in thread "main" com.openairlines.extractors.common.exception.ExtractorRunException: Error while extracting messages
	at com.openairlines.extractors.mail.MailWithAttachmentExtractorService.extractData(MailWithAttachmentExtractorService.java:97)
	at com.openairlines.extractors.mail.MailBatchRunner.main(MailBatchRunner.java:24)
Caused by: jakarta.mail.MessagingException: A3 BAD User is authenticated but not connected.;
  nested exception is:
	org.eclipse.angus.mail.iap.BadCommandException: A3 BAD User is authenticated but not connected.
	at org.eclipse.angus.mail.imap.IMAPFolder.logoutAndThrow(IMAPFolder.java:1190)

Existing resources gives some hints but I still don't find any solution.

On key difference between old mails and the new one is that old ones have an application password, which I can't set to the new address due to restriction. That being said, this application password is never used. Any clue appreciated.

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michelle-N 13,740 Reputation points Microsoft External Staff Moderator
    2026-03-23T14:49:33.0266667+00:00

    Hi @Camille Blondiaux

    Based on the details provided, I understand that your Java application using MSAL4J and Jakarta Mail is failing to open the "INBOX" folder for a newly created mailbox, specifically throwing the exception: "A3 BAD User is authenticated but not connected." This behavior occurs despite successful token retrieval and folder connection, while your older mailboxes continue to function normally.

    This behavior can sometimes occur under certain conditions where the XOAUTH2 authentication is successful, but the IMAP server cannot attach the session to a valid mailbox or allow mailbox operations immediately following authentication.

    In many scenarios, older mailboxes function normally because IMAP was historically enabled at a time when application passwords were still permitted. However, mailboxes created under modern security defaults or updated tenant policies often have the IMAP protocol disabled by default. The restriction you observed regarding application passwords is a related symptom, indicating that the tenant has likely restricted legacy authentication protocols.

    Let's walk through several checks to ensure the mailbox is properly provisioned and accessible:

    Confirm that the new mailbox has been fully provisioned in Exchange Online and has a valid license assigned. In some scenarios, a mailbox that is not fully initialized may allow authentication but fail to connect to the underlying folder structure.

    We need to ensure that IMAP is explicitly enabled for the new account and is not being blocked by a policy. Even if you can connect and retrieve the folder object, the server will drop the session during the open stage if the protocol is restricted. Please verify the following:

    • IMAP is enabled at the Tenant level.
    • IMAP is enabled at the individual Mailbox level in the Exchange Admin Center.

    Review your environment for any Conditional Access or Authentication Policies that might be blocking "legacy protocols." Even when using modern OAuth, certain security configurations may still restrict the IMAP protocol itself.

    Confirm that MSAL4J is requesting the token with the correct resource and scopes. For a delegated user token, it is recommended to request scopes specifically for the Outlook/Exchange resources such as IMAP.AccessAsUser.All, SMTP.Send với Outlook/Exchange resource.

    As a moderator, I don’t have access to your exact environment or system configuration, so I can only provide general guidance based on documented behavior. Given the nature of this issue, and the fact that it varies by system setup, you may benefit from posting the question on GitHub or a development‑focused forum where engineers who work directly with Access Runtime and version‑compatibility scenarios can offer more targeted help.

    Thank you for your understanding.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.