This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 71%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFB%3C/text%3E%3C/svg%3E)
We are integrating a PHP web application to send emails via SMTP using the modern OAuth 2.0 (XOAUTH2) flow for the account: PII. The Issue: We have successfully registered the Azure App. We have successfully granted Admin Consent for the delegated SMTP.Send and offline_access scopes. Our application successfully fetches a valid OAuth Access Token specifically bound to the no_reply UPN. However, when the application attempts the SMTP handshake on smtp.office365.com:587, it is immediately rejected with: 535 5.7.3 Authentication unsuccessful. What we have already checked: "Authenticated SMTP" is CHECKED under the active user's Mail ] Manage Email Apps setting. Security Defaults are DISABLED for the tenant. The Global Modern Auth setting ("Allow access to basic authentication protocols") has "Authenticated SMTP" CHECKED. We believe this account is being blocked by a hidden Conditional Access policy enforcing MFA, or the SMTP enablement has not propagated on the backend Exchange servers. Could you please review the backend logs for PII and help us exclude this service account from whatever policy is blocking the SMTP AUTH?
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello Faruq Bello
We will investigate the issue and update you with the findings. Thank you for your patience as we look into this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hi Faruq Bello
Thank you for reaching out to Microsoft Q&A.
it looks like you’ve got your app registered and you’re successfully pulling an OAuth2 token, but the SMTP handshake on smtp.office365.com:587 is being rejected with “535 5.7.3 Authentication unsuccessful.” That error almost always means one of two things:
Here’s what you can try to narrow this down and get your no_reply account sending via XOAUTH2:
Follow-up questions to narrow it further:
References
Hope this helps you pinpoint what’s blocking the SMTP handshake! Let me know what you see in the sign-in logs and we’ll go from there.
Hello, I have pasted the token where you asked me to in step one, but there is nothing being displayed in the decoded token or in claims.
Hello Faruq Bello
Thank you for your reply.
jwt.ms can only decode JWTs (3 dot‑separated Base64URL segments):
header.payload.signature
Microsoft Entra access tokens for Exchange Online SMTP are JWTs, and should always decode and show claims like:
audscpissupntidIf nothing appears, Microsoft docs and community cases show one of these is true:
Very common mistakes:
Microsoft explicitly states that only the access_token value is used for SMTP AUTH and is a JWT. Refresh tokens are opaque and will not decode
For your reference: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
If the token audience is Microsoft Graph, SMTP will reject it and jwt.ms may not show Exchange claims.
For SMTP AUTH, Microsoft requires:
aud = https://outlook.office365.com scope = https://outlook.office365.com/SMTP.Send
If you requested:
scope = https://graph.microsoft.com/.default
You will get a Graph token, which:
535 5.7.3 Authentication unsuccessfulCorrect token request: -
Authorization request
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
?client_id=XXXX
&response_type=code
&redirect_uri=XXXX
&scope=https://outlook.office365.com/SMTP.Send offline_acces
Token request: -
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
client_id=XXXX
client_secret=XXXX
code=XXXX
redirect_uri=XXXX
scope=https://outlook.office365.com/SMTP.Send offline_access
When things are correct, jwt.ms will decode immediately and show something like:
{
"aud": "https://outlook.office365.com",
"scp": "SMTP.Send",
"upn": "******@yourdomain.com",
"idtyp": "user",
"iss": "https://sts.windows.net/{tenant-id}/",
"tid": "{tenant-id}"
}
If aud is graph.microsoft.com → SMTP will fail
If scp does not include SMTP.Send → SMTP will fail
If jwt.ms is blank → you are not using an access token
Why SMTP rejects with 535 even though “everything is enabled”
Microsoft confirms SMTP AUTH with OAuth will still fail if any of these are true:
Microsoft Learn explicitly calls out Conditional Access blocking SMTP OAuth attempts and recommends either:
If this is a service account (no_reply) and does not require user interaction:
Switch to Application permissions (NO user CA impact)
SMTP.SendAsApphttps://outlook.office365.com/.defaulthttps://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/oauth-high-volume-mails-m365
Thanks, I checked and found that it was refresh token that I paste. So how do I generate an access token value
Thank you for your reply.
Below is generate a valid Exchange Online SMTP access token: -
SMTP AUTH only accepts the access_token value returned by the /token endpoint.
access_token → JWT → decodes in jwt.ms → works with SMTP
refresh_token → opaque → will NOT decode → SMTP rejects
authorization code → one‑time code → not a token
Entire JSON response → invalid
Microsoft explicitly documents this behavior for SMTP OAuth.
For your reference: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
Option 1 — User‑based SMTP (Authorization Code flow)
Use this only if the mailbox is a real user and interactive sign‑in is acceptable.
Step 1: Get an authorization code (browser)
GET https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
?client_id=CLIENT_ID
&response_type=code
&redirect_uri=REDIRECT_URI
&scope=https://outlook.office365.com/SMTP.Send offline_access
&response_mode=query
User signs in
You receive ?code=XXXX
This code is NOT the token
It is exchanged for tokens in step 2
Step 2: Exchange the code for tokens (this is where access_token comes from)
POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=CLIENT_ID
client_secret=CLIENT_SECRET
grant_type=authorization_code
code=AUTHORIZATION_CODE
redirect_uri=REDIRECT_URI
scope=https://outlook.office365.com/SMTP.Send offline_access
Successful response (example)
{
"token_type": "Bearer",
"expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs...",
"refresh_token": "0.AAAABBBBB..."
}
Copy only access_token
Paste that value into https://jwt.ms
Use that same value for SMTP AUTH
Microsoft documents this flow and scope requirement explicitly.
What the decoded token MUST show
When pasted into jwt.ms:
{
"aud": "https://outlook.office365.com",
"scp": "SMTP.Send",
"upn": "******@yourdomain.com",
"idtyp": "user",
"iss": "https://sts.windows.net/{tenant-id}/",
"tid": "{tenant-id}"
}
If any of these are wrong, SMTP will fail.
Option 2 — Service account / no user login
If this is a no_reply / service mailbox, do NOT use user auth.
Use Client Credentials flow instead (no MFA, no CA impact).
Required permission
SMTP.SendAsApp (Application permission)
Admin consent required
Microsoft explicitly supports this for SMTP.
Token request (client cred)
POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=CLIENT_ID
client_secret=CLIENT_SECRET
grant_type=client_credentials
scope=https://outlook.office365.com/.default
Response: -
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs..."
}
Paste access_token into jwt.ms
aud will be https://outlook.office365.com
roles will include SMTP.SendAsApp
Works with smtp.office365.com
Note: -
aud = https://outlook.office365.comscp = SMTP.Send or roles = SMTP.SendAsApp
Following up to check if the resolution provided above was helpful. Please let us know if you need any further assistance.
Thanks, Shubham,
I will get back to you if any further guidance is needed or if I notice anything once I pass it on to the person in charge.
Hello, I have pasted the token where you asked me to in step one, but there is nothing being displayed in the decoded token or in claims.