sending email using javmail with OAuth2 and smtp

Mike Gleeson 1 Reputation point
2022-11-30T19:00:10.957+00:00

Hi. Does anyone know what scopes should be set to allow the sending of email using SMTP. We are using javamail with Oauth2 and we have successfully got it working to read email using imap now we want to send email using smtp.

https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

DEBUG SMTP: SASL client XOAUTH2
DEBUG SMTP: SASL callback length: 2
DEBUG SMTP: SASL callback 0: javax.security.auth.callback.NameCallback@5d1be090
DEBUG SMTP: SASL callback 1: javax.security.auth.callback.PasswordCallback@1418191d
AUTH XOAUTH2

535 5.7.3 Authentication unsuccessful [LO6P265CA0005.GBRP265.PROD.OUTLOOK.COM]
DEBUG SMTP: SASL authentication failed

The token, if I obtain it using the https://graph.microsoft.com/.default scope, comes back with the role "Mail.Send". If I use the scope https://outlook.office.com/.default I get the roles full_access_as_app, Mail.Send, and IMAP.AccessAsApp. There appear to be no scopes that give me the SMTP.Send or offline_access "roles" (or permissions or whatever), even though we've assigned them to the application.

While getting the imap to work we had to run the following command after creating a new New-ServicePrincipal Add-MailboxPermission -Identity -Acc
essRights FullAccess. Is their something similar to do for sending email.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,714 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 37,296 Reputation points
    2022-12-01T08:42:51.817+00:00

    Hi @Mike Gleeson

    The SMTP.Send is a delegated permission, so it only supports delegated authentication flows. You may be using a daemon-based client credentials flow, which is why your token does not have SMTP.Send permissions.

    266096-image.png

    You can try using ROPC flow or auth code flow to get a user token:

    266065-page21.png

    Parse the access token:

    266039-image.png

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.