How to configure an app (PHPMailer) in azure portal for multiple email addresses, that are in the same O365 tenant, to use OAuth with SMTP without user interaction?

Question

We use in our company email addresses for each employee and for 3 departments (service, support and reports) - for example <employee_name>@<company_name>.de or reports@<company_name>.de ("<..._name>" is just a placholder for posting here). Our programs use PHPMailer for sending Emails from the 3 departments via SMTP without user interaction (Host: smtp.office365.com), that means the PHPMailer is called by a program/script that is started by the Microsoft Task Scheduler. Now we want to switch from Basic SMTP Auth to Oauth2.

So we registered in the main tenant (<boss_name>@<company_name>.de) in the azure portal a web app and received the refresh token with the file "get_oauth_token.php", which is included in PHPMailer. The mail order via OAuth is working now, but only when <boss_name>@<company_name>.de is the username and the email sender (From).

It's not working when both are for example reports@<company_name>.de (prefered way)

SMTP INBOUND: "535 5.7.3 Authentication unsuccessful [AM6PR10CA0036.EURPRD10.PROD.OUTLOOK.COM]"

And it's not working when <boss_name>@<company_name>.de is the username and From is for example reports@<company_name>.de (willy-nilly compromise)

SMTP INBOUND: "554 5.2.252 SendAsDenied; <boss_name>@<company_name>.de not allowed to send as reports@<company_name>.de

We tried to change the configuration for <boss_name>@<company_name>.de ("SendAs" parameter) and of the app in the azure portal (for example defining the department email addresses as owner of the app or adding "Mail.Send" in the Micrsoft Graph APIas application permission) and waited 24 hours (synchronization delay) - but no change.

So i've read in the past weeks countless tutorials from Microsoft, PHPMailer and others, and forums like stackoverflow. But nowhere i could find the necessary information, how to change the configuration.

Our configuration in the azure portal:

• permissions: Microsoft Graph (Mail.Send), Office 365 Exchange Online (Mail.Send, IMAP.AccessAsApp, POP.AccessAsApp)
• supported account types: Multitenant and personal Microsoft Accounts (e.g. Skype, Xbox) -

We also tried Single Tenant as supported account type (which fits perfectly), but we can't get a refresh token with that configuration (the script is refreshed without showing the token)

PHPMailer configuration for getting the refresh token:

... 'scope' => ['wl.offline_access', 'Mail.Send']  
$urlAuthorize = 'https://login.live.com/oauth20_authorize.srf';  
$urlAccessToken = 'https://login.live.com/oauth20_token.srf';  
$urlResourceOwnerDetails = 'https://apis.live.net/v5.0/me';  

We also tried the following (<tenant-id> is just a placholder for posting here):

$urlAuthorize = 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize';  
$urlAccessToken = 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token';  
$urlResourceOwnerDetails = 'https://graph.microsoft.com/v1.0/me';  

or:

$urlAuthorize = 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize';  
$urlAccessToken = 'https://login.microsoftonline.com/common/oauth2/v2.0/token';  

But the authentication fails - it stops after

2022-09-29 14:37:22 SERVER -> CLIENT: ... .outlook.office365.com Hello ...
2022-09-29 14:37:22 Auth method requested: XOAUTH2
2022-09-29 14:37:22 Auth methods available on the server: LOGIN,XOAUTH2

Today i found a hint on https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth:

Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.

Does this mean, that my efforts were for nothing?

If not, how can i achieve my goal?

Answer 1

Currently the Client Credentials flow isn't supported with SMTP Auth (it maybe in the future but there isn't a roadmap item that i know of) so you need to grant SendAS permissions to whatever account you trying to send as in the from or switch to using the Graph API eg one example https://katystech.blog/projects/php-graph-mailer that does support the client credentials flow.