Hi @Giuseppe Clinaz • Thank you for reaching out.
It looks like you are trying to use OAUTH2 with a client credentials flow to utilize SMTP to send emails. I have replicated your described setup in my environment and it looks like you are indeed following the correct guide.
As to your questions:
- Yes, the document you are referencing actually states at the very bottom that this is required when requesting the access token.
- The necessary configuration for the most part is described in the guide you are following, I will give you some additional pointers below as well, that are a bit more hidden across other documents or portals.
- The general troubleshooting steps are outlined in the following Learn Article: Error: Authentication unsuccessful, in your particular case I will walk you through some more steps to validate as well below, as it looks like a configuration issue indeed.
- As per 3, yes this can cause problems. I had it disabled throughout my testing, enabled it right now and revoked the refresh tokens for the user, it's still working for now, however I would stick on the side of caution here and follow the guidance, for your use case some enforced parameters for the users like mandatory Multifactor Authentication after 14 days of enablement will not be compatible with the use case you are trying to achieve. If you are in a position to utilize Conditional Access policies from a licensing perspective of your tenant then that would be my recommendation. The following Learn Article also has more background Authenticate your device or application directly with a Microsoft 365 or Office 365 mailbox, and send mail using SMTP AUTH client submission
With IMAP working you are really mostly interested in the marked output, as that is your pre-formatted combined username and bearer token string which is required to authenticate for SMTP as well.
You may have your own method of creating that, however, even a wrong escape character can render the token invalid for a successful login.
In Office365 Admin Center or via PowerShell you have to ensure that the mailbox does allow SMTP authentication (this is not enabled by default). This should read false when using PowerShell.
Get-CASMailbox -Identity <EmailAddress> | Format-List SmtpClientAuthenticationDisabled
In the UI the Manage Email apps link will allow you to set the checkbox.
Your API permissions look alright to me, you can probably restrict them actually, below you can find the setup which I tested with, your screenshot is not showing it but I am assuming that you did indeed give the necessary admin consent for the Office365 permission set.
Next is registering the Service Principal in Exchange Online, you followed the steps, there is however one pitfall possible.
Set-ServicePrincipal -Identity "OBJECT_ID" -DisplayName "email-oauth-proxy"
There is 2 possible object IDs, however only one will work.
The OBJECT_ID is the Object ID from the Overview page of the Enterprise Application node (Azure Portal) for the application registration. It is not the Object ID from the Overview page of the App Registrations node. Using the incorrect Object ID will cause an authentication failure.
I recommend using the PowerShell snippet from the guide to make sure the correct IDs are being used.
$AADServicePrincipalDetails = Get-AzureADServicePrincipal -SearchString YourAppName
New-ServicePrincipal -AppId $AADServicePrincipalDetails.AppId -ObjectId $AADServicePrincipalDetails.ObjectId -DisplayName "EXO Serviceprincipal for EntraAD App $($AADServicePrincipalDetails.Displayname)"
$EXOServicePrincipal = Get-ServicePrincipal -Identity "EXO Serviceprincipal for EntraAD App YourAppName"
Add-MailboxPermission -Identity "<EmailAddress>" -User $EXOServicePrincipal.Identity -AccessRights FullAccess
The last step is to confirm everything works with the token created from the PowerShell script I outlined earlier ideally.
Once you are connected via telnet you will have to follow a 2 step process as per SMTP protocol.
Send a helo with your own IP to the server.
Send the auth xoauth2 generatedtokenstring.
You can see this in the picture below.
There unfortunately is a lot of steps to follow for this to be successful, and I tripped up a couple of times myself during the reproduction here, so I am sure that either the Security Defaults disabling or going over the OBJECTID in the Service Principal will resolve your issue, the other steps which you performed look correct to me.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.