Dartmouth is retiring SMTP Basic Auth in September 2025; this guide shows how to send-only via smtp.office365.com using OAuth2, preferring delegated permissions (SMTP.Send) for security. App-only (SMTP.SendAsApp) is allowed only when scoped to specific mailboxes via an Exchange service principal, and the article outlines roles (App/Dev vs Email Team), key settings, and quick troubleshooting.

nanospell-typo" data-cke-bogus="true">SMTP</span> OAuth2 and Microsoft Graph) — FAQ for Application Teams & Developers

Sending Email (OAuth2 SMTP and Microsoft Graph) — FAQ for Application Teams & Developers

Quick Summary

• SMTP AUTH with OAuth2 (AUTH XOAUTH2) to smtp.office365.com (port 587, STARTTLS). Best when you must continue using SMTP.
• Microsoft Graph: Use the sendMail API for sending via Graph. Best for new applications or when you need Sent Items to show in the sending mailbox.
• Delegated (preferred): Initial user interaction is required. Scopes:
  • SMTP: https://outlook.office.com/SMTP.Send
  • Graph: Mail.Send (and Mail.Send.Shared for shared mailboxes)
• App-only:
  • SMTP: SMTP.SendAsApp. Requires an Exchange service principal scoped to mailbox(es).
  • Graph: application permission Mail.Send + access policy scoping (RBAC/Application Access Policy).
• Mailbox: Use a service/shared mailbox (request via the Help Desk process). For SMTP, ensure Authenticated SMTP is enabled on that mailbox.

Timeline: Dartmouth retires SMTP Basic Auth in September 2025. After that, sending must use OAuth2 (SMTP or Graph).

Who Does What?

App/Dev Team

Infrastructure Team

Request the sender mailbox via the Help Desk process; confirm the From address. Choose integration path: SMTP (XOAUTH2) or Graph (sendMail ) . Create an app registration by logging in to Entra with your netid. Delegated (preferred): Implement Authorization Code + PKCE or Device Code, request delegated scope (SMTP.Send or Mail.Send), and obtain tokens with MSAL. App-only: Coordinate with Email Team to scope the app to mailbox(es) (Exchange service principal for SMTP, Application Access Policy/RBAC for Graph).

For SMTP: ensure Authenticated SMTP is enabled on the sender mailbox (per-mailbox control). If App-only is needed (SMTP): register the app’s service principal in Exchange and scope access to the mailbox. If App-only is needed (Graph): scope the app to specific mailbox(es) via Application Access Policy or RBAC for Applications. Grant tenant admin consent for application permissions (delegated consent is self-service for users in our tenant).

Flows

Delegated (Preferred)

SMTP (delegated)

• Scope: https://outlook.office.com/SMTP.Send (add offline_access to obtain refresh tokens).
• Acquire a delegated token via Authorization Code and PKCE or Device Code, then connect to smtp.office365.com:587 with STARTTLS and issue AUTH XOAUTH2 with the token.
• The user= value in the XOAUTH2 string must match the sending mailbox User Principal Name. For shared mailboxes, use the shared mailbox address.

Graph (delegated)

• Scope: Mail.Send (and Mail.Send.Shared if sending as a shared mailbox).
• Acquire a delegated token via Authorization Code and PKCE or Device Code.
• Send using POST https://graph.microsoft.com/v1.0/me/sendMail (signed-in account). For shared mailboxes, grant SendAs and use POST /users/{sharedMailbox}/sendMail.
• Messages are saved to Sent Items automatically.

App-only (Exception)

SMTP (app-only)

1. App registration: add Application permission Office 365 Exchange Online → SMTP.SendAsApp; grant Admin consent.
2. Register a service principal in Exchange and scope it to the mailbox(es). grant SendAs permission.
3. Request tokens for https://outlook.office365.com/.default; use AUTH XOAUTH2 with the mailbox UPN.

Graph (app-only)

1. App registration: add Application permission Microsoft Graph > Mail.Send; grant Admin consent.
2. Infrastructure Team scopes the app to specific mailbox(es) via Application Access Policy or RBAC for Applications.
3. Request tokens for https://graph.microsoft.com/.default.
4. Send using POST https://graph.microsoft.com/v1.0/users/{mailbox}/sendMail.

Setup Checklists

Infrastructure Team

1. SMTP: enable Authenticated SMTP on the sender mailbox.
2. SMTP app-only: register Exchange service principal and grant SendAs (and FullAccess only if needed).
3. Graph app-only: configure Application Access Policy or RBAC for Applications to scope mailbox access.
4. Verify admin consent where required (application permissions).

App / Dev Team

1. Decide SMTP vs Graph; prefer Graph for Sent Items and richer features.
2. Store Tenant ID, Client ID, and any secret/certificate securely (secrets are not required for Device Code/PKCE).
3. Delegated: Use MSAL (Authorization Code and PKCE or Device Code) to get a delegated token (SMTP.Send or Mail.Send) and implement token refresh.
4. App-only: Use MSAL client credentials to get a .default token for SMTP or Graph.
5. SMTP: connect to smtp.office365.com on 587 with STARTTLS and issue AUTH XOAUTH2.
6. Graph: call /me/sendMail (delegated) or /users/{mailbox}/sendMail (app-only/shared).

Configuration Reference

SMTP Settings

• Server: smtp.office365.com
• Port: 587
• TLS: STARTTLS (required)
• Auth: AUTH XOAUTH2 (OAuth2 access token)
• Sender: service/shared mailbox UPN (e.g., app-sender@dartmouth.edu)

Graph Endpoints

• Delegated: POST https://graph.microsoft.com/v1.0/me/sendMail
• App-only or shared: POST https://graph.microsoft.com/v1.0/users/{mailbox}/sendMail

Token Requests

• SMTP delegated: scope https://outlook.office.com/SMTP.Send (plus offline_access if refresh tokens are needed).
• SMTP app-only: scope https://outlook.office365.com/.default with permission SMTP.SendAsApp.
• Graph delegated: scope Mail.Send (add Mail.Send.Shared if sending from shared mailboxes).
• Graph app-only: scope https://graph.microsoft.com/.default with permission Mail.Send.

FAQ

Why prefer delegated?

Delegated tokens are scoped to the signed-in user, reducing tenant-wide exposure. In our tenant, users can self-consent to delegated scopes.

Why prefer Graph?

Graph automatically saves to Sent Items and supports richer functionality (attachments, HTML, shared mailboxes). SMTP is fine for existing code but does not write to Sent Items.

Do device code or PKCE tokens last forever?

No. Access tokens are short-lived. MSAL uses refresh tokens to silently renew access as long as the account/app remains valid and the app runs periodically.

Our device/library cannot do delegated. What then?

Use app-only. The Email Team must scope the app to mailbox(es). Consider Graph app-only if SMTP app-only is not supported by your library.

Why don’t SMTP-sent messages show in Sent Items?

SMTP does not save copies. Use Graph if Sent Items are required, or programmatically save a copy via Graph after sending.

We get 535 5.7.3 Authentication unsuccessful. What should we check?

• Correct scope (SMTP.Send or Mail.Send for delegated; .default for app-only) and required consent granted.
• For SMTP app-only: Exchange service principal registered and mailbox rights applied.
• For SMTP: Authenticated SMTP enabled on the sender mailbox.
• Token not expired; TLS and firewall egress OK; backoff/retries implemented.
• SMTP XOAUTH2: user= value matches the sender UPN exactly.

Need Help?

Questions about which flow to use or want the Email Team to scope an app-only sender? Email help@dartmouth.edu.