Hi, I've ran into an issue with the OAuth2 token that comes back for authenticating against an Azure Entra tenant. So if I manually do the auth code flow and get back the token and send it through MailKit from an Azure Function everything works fine. If I try to request one through the client_credentials flow it just keeps breaking on the authentication part of the flow with the exception being "Exception: MailKit.Security.AuthenticationException: 535: 5.7.3 Authentication unsuccessful [VI1PR0902CA0036.eurprd09.prod.outlook.com 2024-03-20T10:27:56.998Z 08DC48BEE95C08E5]". The thing is I also tried getting the client_credentials token manually in Postman and it looks different and is missing the "scp" field.

The thing is the permissions seem ok because when I try to send it through GraphApi it appears that it has access to the correct mailbox. I am aware that the scopes for graph and outlook are different, furthermore even if I try to send it through MailKit via the normal smtp credentials such as email and password it breaks with another error which is "Exception: MailKit.Security.AuthenticationException: 535: 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator. [VI1P191CA0007.EURP191.PROD.OUTLOOK.COM 2024-03-20T10:33:07.218Z 08DC470C044328E7]".

Port is 587, and it's going to host of "smtp.office365.com".

These are the permissions

I really would not bother someone with this but I am really stuck, went through all the docs and forum posts on stack and git and I can't seem to figure it out. Is it possible that the configuration is not correct? Or that the part where you link the mailboxes in the "Registering Service Principals for Your Web Service" in the doc was not done correctly?

If someone has any advice, please type it below. The client_credentials flow should work from everything I read but I just can't get it to work.

You will need to file a support ticket with Microsoft Office365 and ask them to help you.

Unfortunately, I don't think there is anything anyone else can do.

Odds are that this is some sort of server-side settings issue which will be like finding a needle in a haystack. What's worse, is that no one but you can even look at the haystack to help you find the needle because none of us have access rights.

Best hint I can give you is to ask if you registered your service principal using the Azure powershell commands in the docs.

If not, make sure you do that.