Announcing OAuth 2.0 support for IMAP and SMTP AUTH protocols in Exchange Online

@Greg Taylor - EXCHANGE : We use Exchange Online accounts to send mail (from PHPMailer) via smtp.office365.com using authorization_code grants. We use a client scope of offline_access https://outlook.office.com/SMTP.Send. No permissions are set in AAD as outlook.office.com is not listed as an API resource.

All this works fine.

Using client_credential grants would be more straightforward – no refresh tokens for example, but there is no obvious way to specify SMTP.Send as client_credential grant scopes must use a https://outlook.office.com/.default scope with no individual permissions. The idea is presumably that all permissions must come from the AAD permissions list set for the resource API – which in the case of outlook.office.com seems impossible as it isn’t in AAD’s resource list!

(In passing, if we target Graph (which does have an SMTP.Send permission) as resource API instead of outlook.office.com, mail sending to smtp.office365.com doesn’t work.)

Am I attempting the impossible in trying to use client_credential grants against outlook.office.com, i.e. is SMTP AUTH support still restricted to https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flowand dhttps://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-codes?