Best we can tell, there may be an issue with the ‘offline’ permissions token scopes Moodle requires to be present that is incompatible with the scopes Microsoft accepts.

We get the error message “SMTP ERROR: AUTH command failed: 535 5.7.3 Authentication unsuccessful” when using the XOAUTH2 method. We know SMTP is enabled on the mailbox and working as we can switch back to legacy authentication and it works immediately. We don’t see any sign-in events when testing OAuth SMTP which leads us to believe the scopes may be incorrect and it is being rejected before authenticating against the service account. We do see sign-in events when re-linking the service account to the OAuth service.

Another thing is the error message does not change if we disable SMTP on the M365 mailbox when testing OAuth. We do see an error message specifically calling out SMTP authentication is disabled on the mailbox when we tested this with legacy authentication.

Moodle seems to be hardcoded to require scopes that are only available with ‘delegated’ API permissions as the “offline_access” scope must always be present in the requested scopes and the ‘username’ property must be returned after linking the service account. It also requires the ‘username’ property to be returned, so “user.read” must be present in the request too. This StackOverflow post suggests the user.read scope should not be requested, but Moodle throws an error when we try to remove it as ‘username’ is not returned.

The scope string that seems be accepted by both Microsoft and Moodle is “openid profile email user.read offline_access https://outlook.office.com/SMTP.Send” (or just “user.read offline_access https://outlook.office.com/SMTP.Send“) but obviously this doesn’t translate to SMTP working.

We tried using ‘application’ mode API permissions and  registering the service principal to send as the Exchange mailbox as described in the Microsoft links below, along with requesting just the “https://outlook.office365.com/.default” scope, but Moodle rejects this scope request for not including offline_access and not returning ‘username’.

https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/oauth-high-volume-mails-m365

https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

Microsoft rejects the scope request “user.read https://outlook.office365.com/.default offline_access” with an error paraphrased as “AADSTS70011 .default scope can't be combined with resource-specific scopes” which seems to be because of user.read, which we can’t remove. We also attempted to use user.read.all instead and granted this application API permission, but again Moodle errored that ‘username’ was not returned.

It may seem the Moodle developers need to check that the correct compatible scopes are being required on their end for delegated API mode, and maybe look to support application API mode too.

Thanks!