I have just spent 4 hours trying to connect a user’s mobile phone to Outlook.com using IMAP. The first thing I should say is that this is the wrong solution. The only sensible client tool for Office 365 including Outlook.com is Outlook mobile. Outlook 2016 desktop does work but has issues with aliases.

However this was a very old Android phone and I could not install the Outlook app so IMAP was the natural choice. Every time I tried to connect I got “the server is not responding”. I think that there were two reasons for this,

• Microsoft turns on two-step authentication for new users by default (even if the UI does not say it has)
• The phone’s IMAP client cannot connect on non-standard ports

Two-Step Authentication 

Microsoft is doing everything it can to stop you having to type in your Account Password. This is the keys to the kingdom and everything it passes across the network or is entered into a computer there is a risk of it being stolen. To reduce the number of times this happens Microsoft issue “security tokens” to the devices to allow them to connect. For example, a Windows PC will prompt the user to create a PIN.

It can be seen that using your Account Password to authenticate your IMAP client hundreds of times a day is a bad idea. Instead you follow the two-set authentication wizard to generate a token that you can use instead of the Account Password.

The wizard also requires you to set-up a second channel that can be used to validate new authentication requests. This is typically Microsoft Authenticator installed on a mobile device.

Explicitly turning Two-Step authentication on and generating a token for use as a password in my IMAP client solved the first part of my problem.

Connecting with the IMAP client

Microsoft’s recommended settings are,

but these settings did not work for my client

• I just clicked through accepting the IMAP application’s defaults and this worked.

It seems that Microsoft does support other ports and protocols for legacy clients but does not publish this.

Summary

IMAP and POP are now dead for consumer applications. Where possible dedicated clients that support modern authentication should be used.