SMTP.Send OAuth permission not working for consumer accounts

Filip Navara 80

Since beginning of February all the logins with Outlook.com/Hotmail consumer account to the Office 365 SMTP server fail. This affects OAuth2 logins with the SMTP.Send permissions for our app. Curiously the deprecated live.com OAuth endpoints and permissions still work on the same app registration.

Here's a .NET code that reproduces the issue: https://github.com/filipnavara/Office365OAuthIsBrokenAgain

We have a large number of affected customers who are unable to send emails.

Filip Navara 25 Reputation points

2023-02-07T10:08:22.9166667+00:00

It affects eM Client (https://www.emclient.com). I also tested it with Mozilla Thunderbird (https://www.thunderbird.net/) with the OAuth2 authentication and it fails in the same way.
Will Wilding 150 Reputation points

2023-02-07T20:15:13.8733333+00:00

I'm experiencing the same issue. Posted here: https://learn.microsoft.com/en-us/answers/questions/1168272/oauth2-for-smtp-send-granting-accesstoken-but-retu
Jose Mancebo 0 Reputation points

2023-02-09T15:06:42.7966667+00:00

Same issue...
Brian C 0 Reputation points

2023-02-09T15:41:53.97+00:00

Same issue here with our app, I have also tested with thunderbird and this also has an issue.

@Filip Navara can you post the deprecated live.com enpoints/permissions? As this might be interesting as a temporary fall back for our customers.
Filip Navara 80 Reputation points

2023-02-10T11:33:57.81+00:00

The deprecated endpoint is "https://login.live.com/oauth20_authorize.srf" with the "wl.imap" and "wl.offline_access" permissions. It's Googlable... the app registration in the Azure AD may need the "Live SDK compatibility" checkbox checked.
JCordeiro 0 Reputation points

2023-03-15T12:26:44.4033333+00:00
Hi, if you use the Graph API will work...

Todo:

Add the Mail.Send permission in your APP in Azure.

in your code: add the scope https://graph.microsoft.com/Mail.Read , you will need then to reauthorize with your personal account

After getting the token try to make a POST to the url https://graph.microsoft.com/v1.0/me/sendMail having the Authorization the Bearer token and a JSON with the email content.

(I also had other permissions such as Mail.Read and email but for this context I believe it is not required)

Good luck
Kristofer B 5 Reputation points

2023-03-17T10:58:44.4466667+00:00

This affects the email client I'm developing as well. It used to work until recently.

As mentioned elsewhere: I'm aware there's a workaround for Microsoft 365 accounts. But there is no solution for personal Microsoft accounts (like free email account at hotmail.com/outlook.com).
Enzo Tech 0 Reputation points

2023-04-14T05:01:35.35+00:00

I have same issue, I also confirmed that until now it is not working. 535 5.7.3 Authentication unsuccessful [SJ0PR13CA0189.namprd13.prod.outlook.com 2023-04-14T01:41:59.958Z 08DB3BD5C46109BA] I am using offline_access and SMTP.Send as scope via Device Code Flow These are the endpoints that I used to get exchange device code for token device_endpoint = "https://login.microsoftonline.com/common/oauth2/v2.0/devicecode", token_endpoint = "https://login.microsoftonline.com/common/oauth2/v2.0/token"

5 answers

Akshay-MSFT 16,026 Reputation points Microsoft Employee

2023-02-15T09:06:45.33+00:00
@Filip Navara

Thanks for your time and patience. I was able to test this with Gmail and got authentication error as "SMTP AUTH" is disabled in your tenant, The issue was fixed after enabling Authenticated SMTP.

In your tenant kindly validate the following :

If Authenticated SMTP is enabled for your impacted user (this setting does over ride tenant configuration)

Navigate to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/users

Select the user you are testing this with.

Ensure "Authenticated SMTP" is checked.

Please ensure to uncheck "Turn off SMTP AUTH protocol for your organization" by navigating to https://admin.exchange.microsoft.com/#/settings

Please validate if security defaults has been disabled in your organization.

If your authentication policy disables basic authentication for SMTP, clients cannot use the SMTP AUTH protocol even if you enable the settings outlined in this article. For more information, see Disable Basic authentication in Exchange Online.

Thanks,

Akshay Kaushik

Please "Accept the answer", "Upvote" and share your feedback (Yes/No) if the suggestion works as per your business need. This will help us and others in the community as well.
Please sign in to rate this answer.

2 people found this answer helpful.
Anonymous

2023-02-15T20:34:38.85+00:00

Akshay, Thanks for that response.

I have a two accounts with which I'm trying to get this to work.

One accounts is a work Microsoft365 account, and, following your suggestion, I was able to update the configuration and connect to SMTP with OAuth and send emails. Thank you.

The other account is a basic personal outlook.com account. Since it's a personal account, not a work or school account, I can't use it to reach the admin configurations you listed. I am still not able to make an OAuth SMTP connection with this account to send emails. (However I can get an IMAP connection to it using an OAuth authorization and read emails just fine.) Note that connecting to SMTP with an OAuth authorization on this personal outlook.com previously had been working without any issue, but, suddenly, it started failing and continues to fail. We first noticed the connection failure on 04 Feb 2023.

Do you you know how to configure a personal outlook.com account to allow SMTP connections using OAuth authorization?

Will Wilding 150 Reputation points

2023-02-16T19:36:26.6766667+00:00

+1 @Jason Belcher

Filip Navara 80 Reputation points

2023-02-21T09:25:33.34+00:00

We know that it works for Microsoft 365 accounts. It is, however, still broken for personal Microsoft Accounts (MSA). That's what the report was about in the first place.
Sign in to comment
Will Wilding 150 Reputation points

2023-04-11T18:28:15.63+00:00

It appears that the issue has been quietly resolved with regards to consumer outlook.com email addresses. I don't believe there was any bulletin or acknowledgement by MS, but it's working for me now.
Please sign in to rate this answer.

1 person found this answer helpful.
Brian C 0 Reputation points

2023-04-20T14:13:12.38+00:00

I was just checking in on the status of this ticket and can confirm that this now miraculously works for our email app too! Thanks for the update @Will Wilding
Sign in to comment
Craig Stark 0 Reputation points

2023-02-14T12:17:28.44+00:00

Online Hotmail worked for me; It was ONLY the EPIM Mail App that had SEND issues with Authentication. I Deleted Hotmail from EPIM and Re-created it with Exchange protocol chosen - SEND now works for me.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Enzo Tech 0 Reputation points

2023-05-01T14:08:23.9566667+00:00

This issue can still be reproduced. I created a program written in Rust-Lang to prove that the access token retrieve via Device Code Flow is not working for SMTP XOAUTH2.

Source Code:

https://github.com/LorenzoLeonardo/microsoft-smtp-xoauth2-test-tool

Scopes: offline_access, SMTP.Send

Endpoints:

https://login.microsoftonline.com/common/oauth2/v2.0/devicecode

https://login.microsoftonline.com/common/oauth2/v2.0/token
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Abdellatif Sabbah 0 Reputation points

2024-01-12T14:17:23.9233333+00:00

anyone solve this issue?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment