2

I have an email application for sending emails that was written in house. We have set it with the option to use OAuth 2.0 with GMail (personal and business accounts) and Outlook.com accounts without issues.

We can also authentication with user ids and passwords but we prefer OAuth 2.0 as we don't save passwords anywhere that way.

We now have requests to do this for Office365 accounts.

I notice that the hello message on the Office365 smtp server (smtp.office365.com port 587) does not offer the XOAUTH2 option.

250-BY2PR0601CA0005.outlook.office365.com Hello [xx.xx.xx.xx]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING

But, the SMTP server for outlook.com does:

250-BLU436-SMTP14.smtp.hotmail.com Hello [xx.xx.xx.xx]
250-TURN
250-SIZE 41943040
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-AUTH LOGIN PLAIN XOAUTH2
250 OK

Is this possible to do with Office365? If not, can we point Office365 users to the outlook.com smtp server (smtp-mail.outlook.com) or are they totally different?

We'd rather not use the APIs just for sending emails if possible as the RESTful APIs for each provider will of course be quite different.

The reason for using OAuth 2.0 when sending email with an Office365 account is that we don't want to have to store passwords on our server. Also, if the user changes their password, we won't know unless they tell us or manually update it on our system side.

Using OAuth 2.0 this would solve this problem and allow the application to flow like with other email providers.

Matei Radu
  • 2,038
  • 3
  • 28
  • 45
bvstone
  • 587
  • 2
  • 6
  • 17
  • So, nothing here even from Microsoft? Is it something that will be added? It sure is a nice feature with other email server cloud software. – bvstone May 10 '16 at 19:21
  • 1
    So, it looks like they recently added the XOAUTH2 option to their SMTP servers. Interesting that took so long. Thanks. – bvstone Sep 27 '22 at 20:50

4 Answers4

1

I really wanted this feature too. It would make Office365 apps that need to send mail that much easier!

I did some hunting, and found this which appears to be as close to an official answer as we are going to get (and the answer is a flat no).

Community
  • 1
  • 1
Corey Larson
  • 1,577
  • 18
  • 39
  • 2
    Yes, I found out and decided since the older method is being deprecated (the method used with outlook.com) just wrote an app to use the Office365 API to send the email. So much for standards if we need to start writing things specific to each provider's APIs.. ugh... That makes no sense as the SMTP protocol should work fine... I've got thousands of customers that use all different type of providers (google, Ms, godaddy, etc). – bvstone Jun 10 '16 at 19:22
1

Not sure if I'm missing something, but isn't this what you want? Looks like this was posted back in February. Interestingly, this article says that Oauth is supported for M365, but NOT for outlook.com users.

https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

JayFo
  • 11
  • 1
  • Now it says it IS supported for outlook.com: "OAuth2 support for IMAP, POP, SMTP protocols as described below is supported for both Microsoft 365 (which includes Office on the web) and Outlook.com users." – Pieter van Oostrum Feb 12 '22 at 07:39
0

I made one example using javax.Mail and OAuth for desktop application. It opens logon screen to get acccessToken. I followed multiple instructions so probably there are too many permissions and props in JavaMail but I succeeded to send mail.

My example program (Github)

Eino Mäkitalo
  • 408
  • 3
  • 11
0

PHP Example with OAuth2.

[On GitHub] (https://github.com/larsonnn/php_smtp_xoauth2_microsoft.php)

<?php
/* composer.json
    "require": {
        "phpmailer/phpmailer": "^6.6",
        "league/oauth2-client": "^2.6",
        "thenetworg/oauth2-azure": "^2.1"
    }
*/
use PHPMailer\PHPMailer\Exception;
use PHPMailer\PHPMailer\OAuth;
use PHPMailer\PHPMailer\SMTP;
use PHPMailer\PHPMailer\PHPMailer;
use TheNetworg\OAuth2\Client\Provider\Azure;

require "vendor/autoload.php";

$mail = new PHPMailer(true);

$provider = new Azure([
    'clientId' => '',
    'clientSecret' => '',
    "scopes" => ["https://outlook.office.com/SMTP.Send"],
    "tenant" => "",
    "defaultEndPointVersion" => Azure::ENDPOINT_VERSION_2_0,
]);

$mail->setOAuth(
    new OAuth(
        [
            'provider' => $provider,
            'clientId' => '',
            'clientSecret' => '',
            'refreshToken' => '', 
            'userName' => 'mymail@office_365_email.tld',
        ]
    )
);

//Server settings
$mail->SMTPDebug = SMTP::DEBUG_SERVER;
$mail->isSMTP();
$mail->Host = 'smtp.office365.com';
$mail->Port = 587;
$mail->SMTPAuth = true;                                 
$mail->AuthType = 'XOAUTH2';
$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;
$mail->CharSet = PHPMailer::CHARSET_UTF8;
//Recipients
$mail->setFrom('mymail@office_365_email.tld', 'name');
$mail->addAddress('spam@example.tld', 'Spam'); 

//Content
$mail->Subject = 'Here is the subject';
$mail->Body = 'Hallo';
$mail->AltBody = 'This is the body in plain text for non-HTML mail clients';

$mail->send();
Larsonnn
  • 1
  • This is not smtp.office365.com Just tested, still no XOAUTH option.. like they told me, they won't add it. It's all going to be web APIs soon: – bvstone Sep 02 '22 at 00:51
  • Yeah you get the access token from the WebAPI but you send through the smtp server. This is literally working. I didn't read the question like you want to handle OAuth2 access token handshakes through smtp. – Larsonnn Sep 02 '22 at 07:42
  • Yes, I have the APIs working too, but this question is old and MS has already pretty much committed to not adding OAUTH to smtp.office365.com servers. – bvstone Sep 02 '22 at 13:14