How Can We Help?
Authenticate your Office 365 SMTP email using OAuthAuthenticate your Office 365 SMTP email using OAuth
This article assumes you have completed all steps for SMTP connection with OAuth in Office 365 as described in the official Microsoft documentation:
This feature is available from Pure version 5.33.1
Mail settings
Additional settings have been added in Administrator > System settings > Pure mail to enable SMTP authentication with OAuth for Office 365.
New configuration settings relating to SMTP OAuth authentication:
| Setting | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Email authentication handling |
This can take 3 values:
|
||||||||
OAuth2 client secret (not recommended for production) |
Note: not recommended for production Client credentials secret value from Azure app registration. |
||||||||
OAuth2 private key (RSA, PEM format) |
Private key for certificate based OAuth SMTP authentication. Specify the entire RSA private key in PEM format. The key must begin with "-----BEGIN PRIVATE KEY-----" or “-----BEGIN RSA PRIVATE KEY-----” and end with “-----END PRIVATE KEY-----” or “-----END RSA PRIVATE KEY-----”. Ensure the entire key content is included. This value is required for Office 365/Azure certificate authentication.
|
||||||||
OAuth2 public key certificate (X.509, PEM format) |
Specify the full X.509 certificate in PEM format, beginning with “-----BEGIN CERTIFICATE-----”and ending with "-----END CERTIFICATE-----".
Do NOT enter only a public key ("-----BEGIN PUBLIC KEY-----")
The certificate must match the configured private key and is required for Office 365/Azure certificate authentication. This certificate has been uploaded to the Azure app registration. |
||||||||
OAuth2 application (client) ID |
The application (client) ID registered for OAuth authentication, in Office 365 this is the Azure Active Directory application ID. This value is required for Office 365/Azure authentication. | ||||||||
OAuth2 tenant ID |
The tenant ID used for OAuth authentication, in Office 365 this is the Azure Active Directory tenant ID. This value is required for Office 365/Azure authentication. | ||||||||
OAuth2 scope |
The scope or access permissions requested for OAuth authentication. Default value: "https://outlook.office365.com/.default". This value should not be changed under normal operation |
The below settings are existing settings that must also be correctly adapted for SMTP Oauth authentication to work correctly.
| Setting | Description | |
|---|---|---|
| From e-mail address | The From email address of all emails sent from Pure. For OAuth authentication, this must match the Microsoft username configured for SMTP authentication (or email address if shared mailbox). See: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth Other values may be valid in advanced DKIM setups. | |
| Mail host (SMTP) | The SMTP server to use (should be your Office 365 SMTP host, typically “smtp.office365.com”). | |
| Mail port | The port used by the SMTP server. For Office 365 SMTP OAuth, set this to 587 | |
| Mail host user name | For OAuth authentication, this must match the Microsoft username configured for SMTP authentication (or email address if shared mailbox). See: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth | |
| Mail host password | This value is not required for SMTP OAuth authentication (any value here will be ignored). | |
| Enable or disable STARTTLS command | Must be enabled for SMTP OAuth authentication. |
Troubleshooting
- If email sending fails, verify that the "From e-mail address" and "Mail host user name" match (for almost all use cases)
- Confirm that the certificate and private key are correct and in PEM format and are matching.
- Ensure host and port is correct
- Ensure STARTTLS is enabled.
- Check Azure app registration and related permissions for mailbox user as described here.
- Certificate expired - look in Pure's mail queue (Administrator > System settings > Email queue) for an error such as:
Caused by: java.util.concurrent.CompletionException: com.microsoft.aad.msal4j.MsalServiceException: AADSTS700027: The certificate with identifier used to sign the client assertion is expired on application. [Reason - The key used is expired., Found key 'Start=06/17/2025 10:03:21, End=06/17/2025 10:03:21', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'REDACTED'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/REDACTED']. Trace ID: cfa6f9d6-cdde-4bb6-a190-c4ec1d625e00 Correlation ID: 157f8729-1706-4afb-ba8e-a16b0a4cb485 Timestamp: 2025-06-18 06:27:50Z- This can be resolved by uploading a new valid certificate and key pair.
- This can be resolved by uploading a new valid certificate and key pair.
Published at June 20, 2025