Exchange Online MFA for IMAP & SMTP

[MrGeneration]

Infos:

• Used Zammad version: 3.3 - 3.5
• Installation method (source, package, ..): any
• Operating system: any
• Database + version: any
• Elasticsearch version: any
• Browser + version: any
• Ticket-ID: #1069103, #1077689

Note: Step by Step transition, user affection may vary

There are three situations where you'll need oAuth based authentication (MFA) - I'll provide the time period as far as applicable as well:

applies starting with	scope
right now (Time.now)	All existing tenants can choose to deactivate legacy authentication on their on. No force by Microsoft though.
01st October 2020	All new tenants and tenants that didn't use legacy authentication in the past will be automatically disabled. No rollback
2nd half 2021	All remaining tenants will no longer support legacy authentication

Desired behavior:

An Channel Exchange Online or Microsoft 365 that behaves similar to the Google channel (just with Microsofts online solutions). Also a "migrate now" possibility would be amazing.

Actual behavior:

Currently you can't use Exchange Online Mailboxes that have MFA activated.

Further input:

Microsoft recently sent this mails to active tenants:

In response to the unprecedented situation we are in and knowing that priorities have changed for many of our customers we have decided to postpone retiring Basic Authentication in Exchange Online (MC204828) for those tenants still actively using it until the second half of 2021. We will provide a more precise date when we have a better understanding of the impact of the situation.

[How does this affect me?]

We will continue to disable Basic Authentication for newly created tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020. And of course you can start blocking legacy authentication today, you don’t need us to do anything if you want to get started (and you should).

We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities. We will publish more details on these as we make progress.

[What do I need to do to prepare?]

This change allows you more time to update clients, applications and services that are using Basic Authentication to use Modern Authentication.

[...]

In the meantime this seems to work partly only and thus is hard to PoC cleanly:
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-support-for-pop-in-exchange-online/ba-p/1406600

Internal developers can find the specification for prior google channel in ticket 1070554