Authenticating an SMTP server connection fails for xaouth2

Monika 1 Reputation point
2022-12-05T11:04:17.493+00:00

Have an issue with OAuth authentication to connect with IMAP protocol and access email data for Office 365 user.

When trying to authenticate an SMTP server connection with

AUTH XOAUTH2 <base64 string in XOAUTH2 format>   

we get

1 NO AUTHENTICATE failed.   

Followed all these steps

Registered the application with Azure Active Directory.

Tenant admin consent was granted in the azure active directory for IMAP permission.

Service principal registered in Exchange and given application's service principal full access to the mailbox.

Token was generated trough OAuth 2.0 tenant authorisation request with the default scope (https://ps.outlook.com/.default).

![267095-pasted-graphic.png][1]

Also tried changing the scope from recommended to 'https://outlook.office.com/IMAP.AccessAsUser.All' which then results in

"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID  

What could be wrong here so the authentication fails?

Exchange Server Development
Exchange Server Development
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Development: The process of researching, productizing, and refining new or existing technologies.
560 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Amit Singh 5,071 Reputation points
    2022-12-06T10:57:22.39+00:00

    Microsoft intends to deprecate BASIC AUTH in all mail protocols for XO Accounts on October 1st, 2022:
    Article: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

    0 comments No comments

  2. Glen Scales 4,441 Reputation points
    2022-12-07T23:09:34.95+00:00

    "error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID

    That error is telling you that you haven't consented to the Application so you won't get further until you clear that error, I would suggest you try the manual the URL method from eg https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal

    Construct the URL for granting tenant-wide admin consent
    When granting tenant-wide admin consent using either method described above, a window opens from the Azure portal to prompt for tenant-wide admin consent. If you know the client ID (also known as the application ID) of the application, you can build the same URL to grant tenant-wide admin consent.

    The tenant-wide admin consent URL follows the following format:

    HTTP

    Copy
    https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
    where:

    {client-id} is the application's client ID (also known as app ID).
    {tenant-id} is your organization's tenant ID or any verified domain name.
    As always, carefully review the permissions an application requests before granting consent.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.