Error authenticating with SMTP Microsoft 365 - Oauth2

Question

I'm trying to send email configuring Microsoft 365 SMTP with Oauth2 authentication (due to the upcoming deprecation of Basic Auth method). My code is written in PHP and I'm using PHPMailer as client. Everything works good with Basic Auth, buth trying with XOAUTH2 throws an error.

"535 5.7.3 Authentication unsuccessful". I've tried multiple possible solutions out there but nothings seems to changeat least the error message to give me a clue of what could be the root cause.

The guides I followed are:
https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission

I've checked that all the necessary scopes and API permissions were set.

I'd appreciate any help

Answer 1

What do the Azure sign in logs show for the failures?

Answer 2

Hi,

Looking at the logs I found interesting that they mark "success" but I'm still getting the error at a SMTP level.
Also, the log doesn't seems to get any information about the protocol used and identifies the client app as a Browser (I don't know if this is expected for this type of sign-ins)
Resource is correctly listed as "Office 365 Exchange Online" so I think it's looking for the right resource.

Here's the entry

Date    8/19/2022, 10:37:41 AM  
Request ID    cea34a2a-5e48-44b2-986d-3999f6705d00  
Correlation ID    fec7d9cb-088f-447d-97b5-ee8ea25f9a7d  
Authentication requirement    Single-factor authentication  
Status    Success  
Continuous access evaluation    No  
Additional Details    MFA requirement satisfied by claim in the token  
User	  Juan Levis  
Sign-in identifier  
User type    Member  
Cross tenant access type    None  
Resource    Office 365 Exchange Online  
Home tenant name	  
Client app   Browser  
Client credential type    None  
Token issuer type    Azure AD  
Token issuer name	  
Incoming token type    None  
Authentication Protocol    None  
Latency    164ms  
Flagged for review    No  
User agent    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36  

Answer 3

Not an answer, but I have the identical problem - which I have just posted on this site and on Stackoverflow.
We have used the Outlook REST API V2.0 with V2.0 authorization and token endpoints with PHPMailer for a year or so on our many websites with no issues.
We use a scope of just '*offline_access https://outlook.office.com/SMTP.Send*'
Just changing scope to offline_access SMTP.Send (where AAD Graph has similar permissions specified ) and making no other changes gives exactly your problem: AAD’s Sign-in logs (‘User sign-ins - non-interactive’) for the app show ‘Success’ but SMTP low-level diagnostics give ‘535 5.7.3 Authentication unsuccessful’.
And I commented in my posts that "Unless Graph SMTP.Send uses a different server URI than the published https://smtp.office365.com, this should be impossible. "

Answer 4

Hello,

I've get token via /token endpoint with the fields below:

client_id, client_secret, tenant, grant_type: client_credentials and scope: https://outlook.office365.com/.default

I can not send SMTP XOAUTH2 mail. Get an error: Authentication unsuccessful. What I'm missing? Can anyone help me?

Answer 5

SMTP AUTH is not currently supported for client_credentials grant. IMAP and POP are but not SMTP.
Whether MSFT have decided not to support it - because if misused it could create a relay - or it is just work in progress, I don't know
You will I guess need to use authorization_code grant and use scope https://outlook.office.com/SMTP.Send