IMAP Library, Multifactor Authentication and Outlook Email

Hello, I want to use the Imap library to read an authentication email code then paste it into a web application I am working on to automate the multifactor authentication process. I am having issues setting up the Imap email/server. I am using an outlook test account, and whenever I try it fails to connect to the server and I’m not sure what to do, can you please offer advice. Thank you.

Hi Nina,

Firstly is your “outlook test account” using outlook.com or a corporate exchange server?

Either way usually email protocols like POP3, SMTP and IMAP are disabled by default as the outlook client doesn’t use them.

If you are using outlook.com, this might help POP, IMAP, and SMTP settings for Outlook.com, I notice that it says:

IMAP encryption method TLS

Referring to Open Mailbox’s documentation there’s no mention of TLS, but there is this setting

is_secure: An indicator flag to connect to IMAP host securely or not. (Default True)

So I would start with enabling that and checking if IMAP is enabled on your mail server.

Hopefully that helps,

Dave.

It is a corporate email if that’s what you’re asking, so I will have to check because it is probably disabled. Can you suggest any alternative options for automation in this case or is IMAP/POP the standard solution? We have a corporate web application that requires multifactor authentication, so after logging in, it sends a code to an email. I would like to automate the process of fetching the email and the code, but I can’t figure out what is the best method due to all the security measures in place. Any ideas please? Thank you.

Also do I have to use an IMAP outlook account or can I use a regular email but set up the server using the documentation you provided? Sorry this is my first time working with this so I am a bit lost.

Hi Nina,

I don’t know of any libraries that do MAPI or MAPI over HTTP, so IMAP is probably your best option forn now, you will probably need to discuss with your exchange admin about what IMAP settings to use.

or can I use a regular email

regular email being POP3 + SMTP? I’d be surprised if your exchange admins would enable that doe to the security issues, that would probably be a harder path to travel down

There is another option, if your exchange server has Ooutlook Web Services (OWS) or what ever it’s called these days, ask your exchange admins if you can access that email account through a web browser without using MFA to the email account? If that will work it shouldn’t be too hard to automate the same way as your main application, If you are useing SeleniumLibrary or BrowserLibrary then open a second browser tab login to the email account get the code and switch back to the first tab and enter the code.

Usually the best option is to disable MFA for test automation accounts, at least you can have the MFA code sent to an email address which is a lot easier to deal with than the other MFA options. Before you spend too much effort automating the MFA (or in parallel) ask your test manager/security team if there is an actual requirement to test MFA or just the application?

  • The easiest option is just to remove MFA from the test environment,
  • The next best option is remove it for test automation accounts and only have it enabled for manual testing
  • The next best option after that is to only have MFA enabled for a few specific test automation users, that are only used for testing MFA specific test cases and all other test cases use test accounts with MFA disabled
  • The hardest option is to have MFA on all test accounts, as you’re discovering there is a time cost to this.

In most test environment’s I’ve worked in, they end up with one of the 2 easiest options because I usually work on short loved projects and they want to prioritise testing the actual application rather than testing the authentication to the application. At the end of the day it comes down to your project’s budget, release schedule and their priorities (let managers be managers and take responsibility for the decision on which way you should go)

Hope this helps,

Dave.

1 Like

If I can now access using the browser, what is the best way to find the actual email and click on it if the actual email list doesn’t have the option to “inspect element”? When I click on an email, I can use inspect element to retrieve the verification code but I don’t know how to do the step before that which would be to find the email first and click on it. Can I use the IMAP library in browser mail if the email account isn’t configured to IMAP?

Hi Nina,

what is the best way to find the actual email and click on it if the actual email list doesn’t have the option to “inspect element”?

For most browsers you can open the dev tools with the F12 key, otherwise you can also find it in the browser menu, from the dev tools you can also inspect element (there’s always a way to inspect an element in a browser)

I checked my web outlook from work and was able to get the subject line with this xpath:

//div[@data-app-section="MessageList"]//div[@draggable="true"]/div/div[2]/div/div[2]//span[@title]

Not the nicest xpath but it would work. if you know the email subject, say the subject was “xyz authentication token” then you could simplify it to

//div[@data-app-section="MessageList"]//span[@title and text()="xyz authentication token"]

or

//div[@data-app-section="MessageList"]//span[@title and contains(text(), "authentication token")]

Likewise i was able to get the message preview with this xpath:

//div[@data-app-section="MessageList"]//div[@draggable="true"]/div/div[2]/div/div[2]//span[not(@title)]

Again if you know the preview will contain something like “two factor authentication token: 12345”, then you might be able to simplify it to

//div[@data-app-section="MessageList"]//span[not(@title) and contains(text(), "authentication token:")]

If you can find the code in the message preview then there may be no need to actually click on the email, so that might save you a few steps.

Not sure if those xpath’s will work for you, it will probably depend on the exchange server version.

Hope that helps,

Dave.

1 Like