This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 94%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWW%3C/text%3E%3C/svg%3E)
Our application was updated late last year to support Oauth2 for obtaining (via IMAP) and sending (via SMTP) emails on behalf of outlook.com consumer accounts. (Edit: See responses below if experiencing the problem with Microsoft 365 accounts.)
We have both SAS and premise based deployments which were tested as able to send and receive in December 2022, but are now getting 5.7.3 Authentication unsuccessful when attempting to authenticate with the SMTP server. IMAP continues to work just fine.
Here's an example flow:
User is prompted for authorization:
https://login.microsoftonline.com:443/common/oauth2/v2.0/authorize?prompt=consent&response_type=code&state=59b234bd-fdc0-4905-8e57-bbd4b091cf4f&scope=https%3a%2f%2foutlook.office.com%2fSMTP.Send+https%3a%2f%2foutlook.office.com%2fIMAP.AccessAsUser.All+offline_access&access_type=offline&redirect_uri=http%3a%2f%2flocalhost%3a68%2fEmail%2foauth%2f&login_hint={outlook.com email address}&client_id={our registered + verified clientid}
The scopes are
https://outlook.office.com/SMTP.Send
https://outlook.office.com/IMAP.AccessAsUser.All
offline_access
We receive our callback after the user logs in and provides permission.
?code={access_code}&state=59b234bd-fdc0-4905-8e57-bbd4b091cf4f
Then call to exchange the access code for a token...
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id={client id}&code={access code}&redirect_uri=http%3a%2f%2flocalhost%3a68%2fEmail%2foauth%2f&grant_type=authorization_code
...and receive our access and refresh tokens in response.
{
"token_type": "Bearer",
"scope": "https://outlook.office.com/SMTP.Send https://outlook.office.com/IMAP.AccessAsUser.All",
"expires_in": "3600",
"ext_expires_in": "3600",
"access_token": "{access_token}",
"refresh_token": "{refresh_token}"
}
MailKit is then used to connect and authenticate to the IMAP server outlook.office365.com. No errors. New mail can be read from the user's inbox.
But attempting to authenticate the SMTP (again using MailKit) client results in "535: 5.7.3 Authentication unsuccessful"
The same SaSLMechanismOAuth2 with the account's email address and current access token are used for both.
Other notes:
Thank you for posting your query on Microsoft Q&A, I am currently reviewing this and will get back to you with further inputs.
Thanks,
Akshay Kaushik
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 98%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFN%3C/text%3E%3C/svg%3E)
Hi Akshay,
there's a duplicate report of the same issue (https://learn.microsoft.com/en-us/answers/questions/1168242/smtp-send-oauth-permission-not-working-for-consume). I posted a full code to reproduce the problem at https://github.com/filipnavara/Office365OAuthIsBrokenAgain.
Thanks,
Filip
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 37%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAZ%3C/text%3E%3C/svg%3E)
Hi @Akshay-MSFT ,
I have the same issue. I could send the email using the SMTP, but since Friday, Feb 3rd it stopped working. It started showing the error "535 5.7.3 Authentication unsuccessful". However, my program can still read emails.
Please let me know if you find the solution for the @Will Wilding.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 13%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
Hi @Akshay-MSFT ,
I also encountered this problem. I am a mail client developer. At present, all functions sent by Microsoft Email are unavailable.
The error message returned is:
Authentication unsuccessful [TYCP286CA0214.JPNP286.PROD.OUTLOOK.COM 2023-02-09T14:31:14.036Z 08DB09400DE25F14]
Please let me know if you find the solution for this,thanks. @Alex Zonis @Filip Navara
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 37%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi guys, i have the same issue. Authentication unsuccessful [BE1P281CA0143.DEUP281.PROD.OUTLOOK.COM 2023-02-09T14:22:14.564Z 08DB099F3F3AD766]
Imap works fine, but smtp not
@Will Wilding @Filip Navara @Akshay-MSFT @Alex Zonis
Hey, did anyone find a solution?
No. I have been waiting for the answer. But it doesn't resolve the issue.
Our application is used by "common" tenants, that don't have work or school accounts, and they don't have the option to configure the email and set "Authenticated SMTP"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 11%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hi there, I also have this issue. here are screenshots of my setup and sample code.
// acquire token
var scopes = new[] { "https://outlook.office.com/.default" };
var options = new TokenCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
};
var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
Azure.Core.TokenRequestContext tokenRequestContext = new Azure.Core.TokenRequestContext(scopes);
Azure.Core.AccessToken accessToken = clientSecretCredential.GetToken(tokenRequestContext);
// send email
using (SmtpClient smtpClient = new SmtpClient())
{
smtpClient.Connect("smtp.office365.com", 587, SecureSocketOptions.StartTls);
// Exception: 535: 5.7.3 Authentication unsuccessful
// https://learn.microsoft.com/en-us/answers/questions/1168272/oauth2-for-smtp-send-granting-accesstoken-but-retu
smtpClient.Authenticate(new SaslMechanismOAuth2(username, accessToken.Token));
MimeMessage message = new MimeMessage();
// to do: build message
smtpClient.Send(message);
smtpClient.Disconnect(true);
}
@Armstrong Shi I believe you're missing the https://outlook.office.com/SMTP.Send scope in your request. That may fix your problem. The issue we're trying to address impacts authentication on behalf Microsoft accounts like outlook.com and hotmail.com addresses.
@Akshay-MSFT Any further updates? The response did not address the authentication issue myself and others are experiencing with consumer outlook.com email accounts.
@Will Wilding Thank you for your response.
Yes, I added that scope.
var scopes = new[] { "https://outlook.office.com/.default", "https://outlook.office.com/SMTP.Send"};
But I got an exception when I requested token. "Microsoft.Identity.Client.MsalServiceException : AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://outlook.office.com/.default https://outlook.office.com/SMTP.Send is not valid."
I also tried to only include the scope "SMTP.Send", but I got another exception.
Microsoft.Identity.Client.MsalServiceException : AADSTS1002012: The provided value for scope https://outlook.office.com/SMTP.Send is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
var scopes = new[] { "https://outlook.office.com/SMTP.Send" };
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 31%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Just wondering, has this "authentication unsuccessfull" issue been fixed in your scenario? Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 38%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
@Will Wilding hi! any updates?
Are there any updates? It is still not working. More and more people are facing the same error. Can it be fixed from the Microsoft side?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 56.00000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EET%3C/text%3E%3C/svg%3E)
Hello Any updates on this? When will Microsoft fix this issue?
Hello @Akshay-MSFT When will Microsoft fix this issue? Until now it is still not working.
Hello I am using the device code flow for OAuth2 for consumer account These are the endpoints I used to exchange the device code and get the token. Scope use are offline_access and SMTP.Send When using the access token, for SMTP, I still got this error 5.7.3 Authentication unsuccessful.
"device_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode",
"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 41%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
We're facing the same issue recently as our secret ID expired.
After creating a new secret, requesting a refresh token successfully, we are now getting error "535 5.7.3 Authentication unsuccessful" for no apparent reason.
Still double-checked all settings, all fine but security default was enabled so I disabled it but it didn't make any difference, I suppose because we are using secret/refresh token to authenticate.
The token gets refreshed after each connect, but there's no way to authenticate.
Any help would be appreciated.
The issue with sending on behalf of outlook.com consumer addresses appears to have been resolved.
Hi @Will Wilding it is still not working. 535 5.7.3 Authentication unsuccessful [SJ0PR13CA0189.namprd13.prod.outlook.com 2023-04-14T01:41:59.958Z 08DB3BD5C46109BA] I am using offline_access and SMTP.Send as scope via Device Code Flow
Hi @Will Wilding it is still not working. I am also using a consumer account too. Endpoints:
"device_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode",
"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 51%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBC%3C/text%3E%3C/svg%3E)
I can confirm that without making any changes on our end, our email app now just works, Microsoft must've fixed something
Brian, are you using this OAUth2 Flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code? It seems it is still not working for this OAuth2 flow.
I can confirm that the issue got resolved.
Thanks for your time and patience. I was able to test this with Gmail and got authentication error as "SMTP AUTH" is disabled in your tenant, The issue was fixed after enabling Authenticated SMTP.
In your tenant kindly validate the following :
Thanks,
Akshay Kaushik
Please "Accept the answer", "Upvote" and share your feedback (Yes/No) if the suggestion works as per your business need. This will help us and others in the community as well.
It still doesn't work for me.
The code I'm testing on:
import smtplib
import base64
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
class MicrosoftSMTP(smtplib.SMTP):
def __init__(self, host, port, **kwargs):
super().__init__(host=host, port=port, **kwargs)
@staticmethod
def encode_auth_token(username, token):
just_a_str = f"user={username}\x01auth=Bearer {token}\x01\x01"
xoauth2_token = base64.b64encode(just_a_str.encode())
return xoauth2_token
def authenticate(self, username, token):
self.helo()
# first step, we
code, msg = self.docmd("auth", "XOAUTH2")
if code != 334:
raise Exception(msg.decode())
# send the token
self.send(self.encode_auth_token(username, token))
def create_message() -> None:
"""
Creating messages
"""
msg = MIMEMultipart("alternative")
msg["From"] = "example@email.com"
msg["To"] = "example@email.com"
msg["Subject"] = "subject"
text_part = MIMEText("body", "plain")
msg.attach(text_part)
return msg
app = msal.ConfidentialClientApplication(conf['client_id'], authority=conf['authority'],
client_credential=conf['secret'])
result = app.acquire_token_silent(conf['scope'], account=None)
if not result:
print("No suitable token in cache. Get new one.")
result = app.acquire_token_for_client(scopes=conf['scope'])
if "access_token" in result:
print(result['token_type'])
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id"))
smtp = MicrosoftSMTP(host="smtp-mail.outlook.com", port=587)
smtp.starttls()
smtp.authenticate("example@mail.com", result['access_token'])
message=create_message()
smtp.sendmail("example@email.com", "example@email.com", message.as_string())
smtp.quit()
My settings:
Hi @Akshay-MSFT ,
The answer to this question resolves the configurations for the work or school accounts. The application I am working with implements the IMAP and SMTP to read and send emails for "common" tenants. I created a new question. I hope you or someone from Microsoft can help me resolve it.
Thank you for the detailed response, but as @Alex Zonis points out, the solution does not assist with outlook.com consumer accounts. I'll edit the question for more clarity.
Still not working for me.
I am using consumer accounts:
scope=https://outlook.office.com/SMTP.Send%20offline_access" -X POST https://login.microsoftonline.com/common/oauth2/v2.0/devicecode
535 5.7.3 Authentication unsuccessful [SI1PR02CA0035.apcprd02.prod.outlook.com
It did not refresh, my comment was posted twice. Removing this 2nd one. Thanks.
@Akshay-MSFT any ideas?
Are there any updates? It is still not working. More and more people are facing the same error. Can it be fixed from the Microsoft side?
Also confirmed nothing has changed and it's still broken after over a month now.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 40%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hello @Akshay-MSFT @Will Wilding just want to know any update?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 64%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
We are also seeing this exact issue with our consumer facing app. We see the same errors and I am trying to understand why.
IMAP works fine and we see the same error when trying to use SMPT.
Has this been resolved for you?
We have used SMTP authentication using secret + refresh token with an app configured in Azure for the past 3 years. The secret expired last week so we created a new one, requested a new refresh token for it and configured the app with those new information.
Now we keep receiving error 535, even though we haven't changed any configuration since last week. Still I verified all the configuration you mentioned and everything checked but security defaults which where on. Disabled them, but still no go.
What else could be going on here? Tried to post a question on this forum but ended with a page not found and lost my 30-minutes edit.
Hi all, it seems there was a mystery fix happened on MS side. It is now working. :)
Anyway, due to this issue I was able to produce a Test Tool written in Rust Programming Language just to test this workflow. https://github.com/LorenzoLeonardo/microsoft-smtp-xoauth2-test-tool