0

We have been trying to use Office365 SMTP OAUTH2 authentication with client credentials flow without success.

The documentation claims that SMTP should work

https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

but also states the following:

<<Note As per the current test with SMTP Oath 2.0 client credential flow with non-interactive sign in is not supported.">>

We can generate a token using the code interactive flow and with the delegation dynamic scope https://outlook.office.com/SMTP.Send

The resulting token has scope "SMTP.Send" which can be used in JavaMail to successfully send emails from a specific user.

We are building a non-interactive application, the above does not work for us.

When we try to generate a token with the client credential flow, the only scope format supported is {resource}/.default

HTTP POST https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
client_id=...
client_secret=...
grant_type=client_credentials
scope=https://outlook.office365.com/.default

There are no application's permissions for SMTP we can set under the Microsoft Office API.

Authentication always returns "535 5.7.3 Authentication unsuccessful"

This should work like IMAP does.

The only option we have found is to disable Security Defaults under

Azure Active Directory -> Properties -> Manage Security Defaults

Which enables PLAIN TEXT authentication.

You also need make sure that your emailbox does not have Smtp Client Authentication disabled with the following powershell command

Set-CASMailbox -Identity -SmtpClientAuthenticationDisabled $false

after these two changes JavaMail can authenticate using user/pwd and can send emails.

Ivan Pedruzzi
  • 121
  • 1
  • 6

2 Answers2

0

Per https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth:

Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.

I just discovered this myself.

The Microsoft Graph API is an alternative option and I have confirmed it does work with the Client Credentials flow, but it has other limitations related to volume and file attachments to be considered.

David Anderson
  • 13,558
  • 5
  • 50
  • 76
  • it should work as IMAP does, but it does not. – Ivan Pedruzzi Nov 01 '22 at 23:05
  • 1
    IMAP and SMTP AUTH are different protocols. Of all the changes, the deprecated Basic Authentication for IMAP, POP, and other legacy protocols. SMTP AUTH is the only legacy protocol they are leaving Basic Authentication enabled for, and of which this protocol does not support the non-interactive credential flow. You would have to choose and implement a different flow, or use a different protocol or Exchange Web Services (EWS, also being deprecated), or Microsoft Graph (which has some limitations over the others). – David Anderson Nov 02 '22 at 14:23
  • why should I be forced using a different protocol or API? The difference is the authentication, OAUTH for SMTP already works with the interactive flow, adding support for the client credential flow should not be far fetch. – Ivan Pedruzzi Nov 04 '22 at 10:42
  • 1
    This is a Q&A forum. I gave you the correct answer, but I can't control whether you like it or your opinion on it. For that, there is the ability to submit a requested feature to Microsoft to fulfill the requirements you desire. That's outside the scope of StackOverflow. – David Anderson Nov 04 '22 at 15:56
  • Hi @DavidAnderson Is it still the case that client credentials flow does not support SMTP OAuth ? If I visit the link you given then I could not find anything related to that (especially the quoted text "Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.") – Amogh Apr 10 '23 at 10:48
0

https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-client-credential-flow-for-smtp-auth-in-exchange/ba-p/3869966

SMTP Oauth 2.0 client credential flow with non-interactive sign in is supported now

user53930
  • 16