Hello,
I was just wondering if passbolt will still be able to send mails with M365-Accounts, when Microsoft disables OAuth 1.0 on the 31st December.
Thank you!
See here for info about how to use MS
… until passbolt has new capability
Hello,
I saw that OAuth2 authentication has recently been supported.
Has anyone already gained experience with how to set it up in combination with Microsoft Entra? I have registered an application with the permissions “SMTP.Send” and “User.Read”. I created a token and entered the Tenant ID and Application ID in the configuration page. Unfortunately, I keep getting the following error log when sending a test email:
[
{
"cmd": null,
"response": [
{
"code": "220",
"message": "***************.outlook.office365.com Microsoft ESMTP MAIL Service ready at Tue, 19 May 2026 07:32:05 +0000 [********]"
}
]
},
{
"cmd": "EHLO mail@testmail.com",
"response": [
{
"code": "250",
"message": "***************.outlook.office365.com Hello [***public ip***]"
},
{
"code": "250",
"message": "SIZE 157286400"
},
{
"code": "250",
"message": "PIPELINING"
},
{
"code": "250",
"message": "DSN"
},
{
"code": "250",
"message": "ENHANCEDSTATUSCODES"
},
{
"code": "250",
"message": "STARTTLS"
},
{
"code": "250",
"message": "8BITMIME"
},
{
"code": "250",
"message": "BINARYMIME"
},
{
"code": "250",
"message": "CHUNKING"
},
{
"code": "250",
"message": "SMTPUTF8"
}
]
},
{
"cmd": "STARTTLS",
"response": [
{
"code": "220",
"message": "2.0.0 SMTP server ready"
}
]
},
{
"cmd": "EHLO mail@testmail.com",
"response": [
{
"code": "250",
"message": "**************.outlook.office365.com Hello [***public ip***]"
},
{
"code": "250",
"message": "SIZE 157286400"
},
{
"code": "250",
"message": "PIPELINING"
},
{
"code": "250",
"message": "DSN"
},
{
"code": "250",
"message": "ENHANCEDSTATUSCODES"
},
{
"code": "250",
"message": "AUTH LOGIN XOAUTH2"
},
{
"code": "250",
"message": "8BITMIME"
},
{
"code": "250",
"message": "BINARYMIME"
},
{
"code": "250",
"message": "CHUNKING"
},
{
"code": "250",
"message": "SMTPUTF8"
}
]
}
]
Thank you!
Hey to answer to your issue can you provide us more context :
- How did you enter the configuration? Via the UI or via file/env var?
- What did you paste into the Client Secret field? A secret value generated in Entra → App registrations → Certificates & secrets (short string like Abc~xyz…), or an access token (longJWT starting with eyJ…)? If it’s a JWT, that’s wrong: Passbolt uses the secret to fetch a token itself, this can be the reason.
- What kind of permission did you grant in Entra? Delegated or Application? Under which API: Microsoft Graph or Office 365 Exchange Online? The correct answer is: Application permission SMTP.SendAsApp under Office 365 Exchange Online, with admin consent granted. SMTP.Send under Graph (what they did) does not work with client_credentials.
- Did you register the service principal on the Exchange side?
- Can you provide /var/log/passbolt/error.log ?
Hello, thank you for your reply.
- I entered the configuration in the UI
- In the Client Secret field I pasted a JWT token similar to this: SlgeWLR5D32x_541gkxcD?gnsmMor
- In Entra I created a App registration with permissions to Microsoft Graph => SMTP.Send (Delegated) and User.Read (Delegated)
-
Now i changed the permissions to Office 365 Exchange Online => SMTP.SendAsApp (Application)
-
- I registert the service principal
Hey @martin.24, I think the step you missed is the Register service principals in Exchange.
You need to execute few commands into the Powershell:
- Start by installing the “ExchangeOnlineManagement” module and connecting to your tenant
Install-Module -Name ExchangeOnlineManagement
Import-module ExchangeOnlineManagement
Connect-ExchangeOnline -Organization <TENANT_ID>
- Now create the service principal, and be aware that for the following command, do not obtain the <OBJECT_ID> from the overview page in menu “App registrations”, you should get the <APPLICATION_ID> and <OBJECT_ID> from the overview page in menu “Enterprise apps”
New-ServicePrincipal -AppId <APPLICATION_ID> -ObjectId <OBJECT_ID>
- Now obtain the ID of the created service principal, there can be several services, so get the ID of the one that matches the <APPLICATION_ID> and <OBJECT_ID> used before
Get-ServicePrincipal | fl
- Finally give the user permissions to the service
Add-MailboxPermission -Identity "<EMAIL>" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess
Note: This is a one-time step you need to perform.
Try to connect after this and let us know if issue persist.
3 Likes