authorization endpoint return not existent when asking for "https://outlook.office.com/SMTP.SendAsApp" scope

Question

I need to set up OAuth authentication to send emails on behalf of another account throug SMTP. Looking through microsoft documentation https://learn.microsoft.com/es-es/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#authenticate-connection-requests it mentions that the scope I should be asking for is https://outlook.office.com/SMTP.SendAsApphowever sending the request for the authorization endpoint with scope=https://outlook.office.com/SMTP.SendAsApp I get redirected to the following url:

[http://localhost:2132/?error=invalid_scope&error_description=The%20provided%20value%20for%20the%20input%20parameter%20%27scope%27%20is%20not%20valid.%20The%20scope%20%27https://outlook.office.com/SMTP.SendAsApp%20offline_access%27%20does%20not%20exist.]
error_description=The provided value for the input parameter scope is not valid. The scope https://outlook.office.com/SMTP.SendAsApp does not exists.

Is this a typo in the documentation?

Furthermore, I've tried to use the following scope as well: https://outlook.office.com/SMTP.Send which works fine, I am able to retrieve the authorization, refresh and access tokens but then when trying to authorize to the SMTP server authorization faild. I need to know if this is indeed the scope I should be asking for.

Answer 1

The https://outlook.office.com/SMTP.SendAsApp scope is not valid for the Graph API, but for the Exchange Online REST API. Moreover, this is an application permission ("role"), not delegate one. Thus you need to use a confidential client (the client credentials flow). Here's an example:

GET https://login.microsoftonline.com/common/adminconsent/?client_id=12345678-1234-1234-1234-1234567890ab&scope=https://outlook.office.com/SMTP.SendAsApp

where the client ID must correspond to confidential client app with said role added under the "Office 365 Exchange Online" resource.