What are the various permissions needed for sending a mail using OAuth ROPC Grant Flow at user level??

Vinay Sharma 51 Reputation points

Hi, I am following this document: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth and registered an application through Admin User. I granted permissions using the same Admin User.

I am trying to send a mail (not an admin user) using OAuth ROPC Flow and below is the issue I am facing.

    "error": "invalid_grant",
    "error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: a32f5c97-3285-4551-822f-2c6fb7839700\r\nCorrelation ID: cdbca6ba-15ae-4124-9404-ad73ee1a6e06\r\nTimestamp: 2023-01-30 06:35:25Z",
    "error_codes": [
    "timestamp": "2023-01-30 06:35:25Z",
    "trace_id": "a32f5c97-3285-4551-822f-2c6fb7839700",
    "correlation_id": "cdbca6ba-15ae-4124-9404-ad73ee1a6e06",
    "error_uri": "https://login.microsoftonline.com/error?code=50126"

The username/user I am using for this above postman request do not have AAD (Azure Active directory) access. Below is the screenshot.

User's image


  • What are all permissions required for user level, so that the user which do not have access of AAD will be able to send the mail?
  • Is it mandatory to provide Admin Level Permissions to user/username using which we want to send mails in AAD? If not, then what are the least permissions needed ?

Use Case: Administrator do not want to provide Admin permissions to a user but want that user to send mails using library java.mail and ROPC flow.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,990 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,694 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla (MSFT) 26,756 Reputation points

    Hello, Azure AD error AADSTS50126 is thrown when credentials are not correct. Ensure they are and try one more time. Moving forwarded, provided the user is a non-guest Azure work account, the Azure AD app registration exposes the right delegated permissions (as detailed by the referred documentation) and no MFA is involved you should be able to get the access token. No admin involvement should be required beyond creating the app registration.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    0 comments No comments