Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
SMTP ERROR: OAuth TOKEN command failed: 535 5.7.3 Authentication unsuccessful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
kathir
0
Reputation points
Hi, My name is Kathir.
I’m using an Outlook account: kathir***@outlook.com Account type: Personal account.
This account is mainly used for SMTP with PHPMailer.
**Previously, I received an error stating that Basic Authentication is disabled. So, I tried to migrate from Basic Authentication to Modern Authentication (OAuth 2.0). ** I followed these steps in the Azure Portal → App registrations section:
- Navigated to Azure Active Directory > App registrations and selected my application.
- Opened the API permissions section and clicked + Add a permission.
- Chose the Microsoft Graph tile.
- Selected Delegated permissions for sending emails on behalf of a signed-in user.
- In the search box, typed Mail.Send and selected the permission from the results.
- Clicked Add permissions.
- After adding the permission, clicked Grant admin consent and confirmed.
After that, I triggered the authorization URL, received the authorization code, and successfully generated the access token using the code.
I used the following scope: "scope" => "https://graph.microsoft.com/SMTP.Send offline_access"
However, when I tried to send an email through PHPMailer using this token, I received an “Unauthorized” error.
Error:"2025-10-14 04:22:52 SMTP ERROR: OAuth TOKEN command failed: 535 5.7.3 Authentication unsuccessful [SG2PR02CA0041.apcprd02.prod.outlook.com 2025-10-14T04:22:56.154Z 08DE09C6D0C4E5B4] SMTP Error: Could not authenticate."
I would like to confirm — does this “Unauthorized” error indicate a token issue or a code issue?
If it’s a token issue, how can I track the token problem? How is the token generated, and what factors affect it?
Azure API Management
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
VEMULA SRISAI 1,460 Reputation points Microsoft External Staff Moderator2025-10-14T16:57:19.37+00:00 Hello kathir,
Thank you for posting your question in the Microsoft Q&A Forum.
The error "Unauthorized" usually occurs if the required permission is not granted to the Microsoft Entra ID application to perform the action.
To resolve the error, try to pass scope as "https://outlook.office.com/SMTP.Send" in the request.
- You can pass the scope name directly in the authorise URL and while generating the token. - Once the access token is generated make sure to decode the token in jwt.ms and check if the scope SMTP.Send is present.
Let me know if any further queries - feel free to reach out!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
-
kathir 0 Reputation points
2025-10-24T05:07:29.9666667+00:00 I decoded the token in jwt.ms and verified that the scope includes SMTP.Send, which is correct. However, even after using the newly generated refresh token in PHPMailer, the email was still not sent — the same issue persists.
token.php // --- Microsoft App Details (Update these if necessary) --- $clientId = "CLIENT_ID"; // **CRITICAL CHANGE**: Changed Tenant ID to 'common' for Personal Microsoft Accounts (Outlook/Hotmail). $tenantId = "common"; $clientSecret = "CLIENT_SECRATE"; $redirectUri = "https://example.com/token.php"; // **CRITICAL FIX**: For personal accounts (common tenant), the Exchange scope is invalid. // We must use the Microsoft Graph scope for SMTP.Send and offline_access. $scope = urlencode('https://graph.microsoft.com/SMTP.Send offline_access'); // --- Step 1: Redirect for Authorization and Consent --- if (!isset($_GET['code'])) { // Note: The URL still uses $tenantId which is now 'common' $authUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/authorize?"; $authUrl .= "client_id=$clientId"; $authUrl .= "&response_type=code"; $authUrl .= "&redirect_uri=" . urlencode($redirectUri); $authUrl .= "&response_mode=query"; $authUrl .= "&scope=$scope"; $authUrl .= "&state=12345"; die(" <h2>Microsoft OAuth 2.0 Authorization Required (Attempt 6: Final Personal Account Scope)</h2> <p>The previous attempt failed due to an invalid scope. We are now using the correct Microsoft Graph scope for personal accounts.</p> <p><a href='$authUrl' target='_blank' style='padding: 10px 20px; background-color: #0078d4; color: white; text-decoration: none; border-radius: 4px;'> Click to Authorize Application (Graph Scope for Personal Account) </a></p> <p><strong>Remember:</strong> Sign in as the SMTP user and complete the sign-in process fully.</p> "); } // --- Step 2: Exchange Authorization Code for Tokens --- $authCode = $_GET['code']; echo "<h2>Authorization Code Received!</h2>"; echo "<p>Exchanging code for Access Token and Refresh Token...</p>"; // Note: The URL still uses $tenantId which is now 'common' $tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"; $postData = [ "client_id" => $clientId, // Use the explicit scope here to request the necessary permissions "scope" => urldecode($scope), "code" => $authCode, "redirect_uri" => $redirectUri, "grant_type" => "authorization_code", "client_secret" => $clientSecret, ]; // Use cURL for token exchange $ch = curl_init($tokenUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData)); curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']); $response = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); $error = curl_error($ch); curl_close($ch); $tokenData = json_decode($response, true); if ($httpCode === 200 && isset($tokenData['refresh_token'])) { $refreshToken = $tokenData['refresh_token']; echo "<h2>✅ SUCCESS! New Refresh Token Obtained (Personal Account)</h2>"; echo "<p><strong>Your new Refresh Token is:</strong></p>"; echo "<textarea rows='5' cols='80' style='width: 100%; border: 1px solid green; padding: 10px; font-family: monospace;'>" . htmlspecialchars($refreshToken) . "</textarea>"; echo " <p> <strong>Action Required:</strong> Please copy this new token and paste it into your PHPMailer script (replacing the old <code>\$refreshToken</code> value). </p> "; } else { echo "<h2>❌ ERROR: Failed to Obtain Tokens</h2>"; echo "<p>The token exchange failed with HTTP status code: <strong>$httpCode</strong></p>"; if ($error) { echo "<p>cURL Error: " . htmlspecialchars($error) . "</p>"; } if ($tokenData) { echo "<p><strong>Microsoft Error Details:</strong></p>"; echo "<pre>" . print_r($tokenData, true) . "</pre>"; } else { echo "<p>Raw Response:</p>"; echo "<pre>" . htmlspecialchars($response) . "</pre>"; } echo " <p><strong>Next Steps:</strong> If this still fails, you may need to check security settings on your personal Outlook account.</p> ";use PHPMailer\PHPMailer\PHPMailer; use PHPMailer\PHPMailer\Exception; use PHPMailer\PHPMailer\OAuth; use Greew\OAuth2\Client\Provider\Azure; require '../phpmailer-new/vendor/autoload.php'; $email = "******@outlook.com"; $clientId = "CLIENT_ID"; $tenantId = "common"; $clientSecret = "CLIENT_SECRET"; $refreshToken = "GENERATED_TOKEN"; // For Outlook PERSONAL accounts, tenantId must be 'common' $mail = new PHPMailer(true); try { // Configure PHPMailer for SMTP $mail->isSMTP(); $mail->Host = 'smtp.office365.com'; $mail->SMTPAuth = true; $mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS; $mail->Port = 587; $mail->SMTPDebug = 2; // Set debug level // Set OAuth2 token $mail->AuthType = 'XOAUTH2'; $mail->setOAuth(new OAuth([ 'provider' => new Azure([ 'clientId' => $clientId, 'tenantId' => $tenantId, // <--- Value passed to the Azure provider 'clientSecret' => $clientSecret ]), 'clientId' => $clientId, 'refreshToken' => $refreshToken, 'clientSecret' => $clientSecret, 'userName' => $email, // <--- The email address being authenticated ])); //Sender and recipient settings $mail->setFrom($email, 'First Last'); // your office365 email $mail->addAddress('TO_ADDRESS', 'John Doe'); //Content $mail->isHTML(true); $mail->Subject = 'OAuth2 Email Test'; $mail->Body = 'This is a test email using OAuth2 authentication with Office 365 SMTP and PHPMailer.'; //Send email $mail->send(); echo 'Message has been sent'; } catch (Exception $e) { echo "Message could not be sent. Mailer Error: {$mail->ErrorInfo}"; }GET error:
2025-10-24 04:37:42 SERVER -> CLIENT: 220 SI1PR02CA0031.outlook.office365.com Microsoft ESMTP MAIL Service ready at Fri, 24 Oct 2025 04:37:41 +0000 [08DE115C0A2A7D51] 2025-10-24 04:37:42 CLIENT -> SERVER: EHLO tcms.cds.mygooroo.io 2025-10-24 04:37:42 SERVER -> CLIENT: 250-SI1PR02CA0031.outlook.office365.com Hello [18.142.222.81]250-SIZE 157286400250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-8BITMIME250-BINARYMIME250-CHUNKING250 SMTPUTF8 2025-10-24 04:37:42 CLIENT -> SERVER: STARTTLS 2025-10-24 04:37:42 SERVER -> CLIENT: 220 2.0.0 SMTP server ready 2025-10-24 04:37:42 CLIENT -> SERVER: EHLO tcms.cds.mygooroo.io 2025-10-24 04:37:42 SERVER -> CLIENT: 250-SI1PR02CA0031.outlook.office365.com Hello [18.142.222.81]250-SIZE 157286400250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-AUTH LOGIN XOAUTH2250-8BITMIME250-BINARYMIME250-CHUNKING250 SMTPUTF8 2025-10-24 04:37:42 CLIENT -> SERVER: AUTH XOAUTH2 2025-10-24 04:37:42 SERVER -> CLIENT: 334 2025-10-24 04:37:42 CLIENT -> SERVER: dXNlcj1rYXRoaXIudGVzdC5zbXRwQG91dGxvb2suY29tAWF1dGg9QmVhcmVyIEV3QW9CTWw2QkFBVUJLZ204azFVc3dVTndrbG15MnY3VS9TKzFmRUFBYXBjQUhubXV6cXZTZ3M4cGlQOGhXa3owbHp0THhoTjdLM3gwQzdZRGpxNVdwTXl0aHBBK0MyNDUxdzZDOCt2K1JDM3pPdExNeFk3eTdBeGtqWkZiekFWakR1ejc2U2lTYW9kUkpZYy9OR0hsRWdUa1dSYkZQOHZFbEFRQXV6NUNvcUdkTHgwT3FqejdiSnRyeTlxVXB3enRzajRLcmY3MTRBdWpwcG5JOTBUUTNldEFabjBsdUhqK0pCODFlNnBpTDY0M211TUZIaElFYytRQTlYVzZwV05iSWMwcHA1SnhnTVM2dU90aG1EWm00VFFxVUhHZ2w0UmUvLys3YVZrVnNNTFRpZGFFOFhjUXo1V0VicVdRWDI5Z09qUUYxc0RYRk00ck43OUs5eVZIMXllQ010anF1eGl1OVd1QlFtZjdCYlpBNUFNbTU2dHB2a2FVUTRtNDY4UVpnQUFFRHE0UnRlTnFPcDRiY1BIZll0dm5XendBcWxDZXQ3Rk8xOXNFTUxRc0pqYU1qcWtuVHpEeFdGSFg3dTJOUVJJaUNzMkZpMFg3L1JlSE9TOUxjRVd0Y1F0dEp3R0RGM1pQbGc2TTB6VzdSNkVqOHZVZlIvZG5rWjZYckhaQ2VXeWUwLzg1OHJiWEk3aUpxSm1mYXZENnZ1RnE5UmxSaFBWdTdITXJZVm5wWER1SGJkUmRzMHQ4UU16cHBtMk9pYlJUNHQwbWlPSGlKQlZjRzVtMFBHZWIyL29wU1ZYeFFhMDdOSVRsQlU2dXdNZjZaWjkwRkpTNnJLVVMwTWwxN0VYTEJ0RG9yQnA0cWxJSUN3NktkYUN3YU1GWVZCUjFWcFFQRkpIMnFTRHQ5YTBscmxVcVZsRjBwRFlwdHRza2NPTTNmUkhCR0d2b0tQc1ZpYlNjZGZJSTdIeEo2WUJxQ0dXcXgwaENCNkQvVllzdG5FZnZTT0g2YkNZb2xWbFZ6YzIzYndLUVJrM2MxT25iMTltdEEyVExiS2x5aDRuZXdNWFEwMG11TWhZa3pKR0NEcEtiZGF6M21PLyszZUtxQUxmYzhuOFBQb3p3cXdHQnJ0cVFYOHNOcHFIMDYyZ2NaY2hobTJDRHB6NFpJUGNIV0IxbVdnanJQeGFhK2xuczE5Zk1QMys4elVNdzArWTJKT2UwUjdBRExqczA5NHBzWGhYcWp5TGdSb3ZidmZNKzRDN0ovd0dHcElVUXRsLzkrL2FyRUNTU1BJQXJsS054WDU5SGNGSnp0RGZLc09UVmw4eHlWVkNnSUhwSGVIYkU2SFo3clVaMldTTUNLbXR5ZGNscmFMMlYxY3AzZFZHTHRXTHI3c3J4NkFNekc2NUo3ZExmeS80MkZhblhaU1dCNzYxY3hCWklXZWZLY0FJdFJsSlQwOTVjZUdKcUJYMTYxNnRnYUlXVk82ekRpd1pybHF1cnFQVXR6UnVvWGZmVnU5VFNSdS9RaHFIa2FmcStnREN2TWlDQU9zTmtGbHNkb2drUXdERHdCRm5ZZ0d3eTFFT2w3eXVzWTMyT2loMjU2TENYQnBTdW1XbXovUzFNUUcyMVNHZW9mOXc0dTJ4T1RRdUNDZDNuK0xmNW1DcDZVTXdVU2h5TGZiTlRVNnVrU0Y2UDJPTTg1REs1SWkwVDVEd2xvMjRpN3VuanpPbnBzZVJhMFVYVm1kQ1RaYW94V1JhMWQ4MVQ5ZXNnamRDblBZNkp1YmtOS2pGOStwNTFDQUdlbXlkNlN2b2tmRzhkL3BiVmFVVDIyTDFiT29xT0htM2NPbENodlZQa216cTd5dnBPQzdwQVJTeXJoTjBuQ3JaZ1BydU5BTT0BAQ== 2025-10-24 04:37:49 SERVER -> CLIENT: 535 5.7.3 Authentication unsuccessful [SI1PR02CA0031.apcprd02.prod.outlook.com 2025-10-24T04:37:48.238Z 08DE115C0A2A7D51] 2025-10-24 04:37:49 SMTP ERROR: OAuth TOKEN command failed: 535 5.7.3 Authentication unsuccessful [SI1PR02CA0031.apcprd02.prod.outlook.com 2025-10-24T04:37:48.238Z 08DE115C0A2A7D51] SMTP Error: Could not authenticate. 2025-10-24 04:37:49 CLIENT -> SERVER: QUIT 2025-10-24 04:37:49 SERVER -> CLIENT: 221 2.0.0 Service closing transmission channel SMTP Error: Could not authenticate. Message could not be sent. Mailer Error: SMTP Error: Could not authenticate.My Questions:
Does Outlook personal account type allow sending emails? I tried logging into the Microsoft 365 Admin Center (https://admin.microsoft.com/) as an Administrator (not as the SMTP user), but I received this sign-in error: “You can't sign in here with a personal account. Use your work or school account instead.”
I need a Modern Authentication user guide and a video tutorial.
How can I resolve the following issue? CLIENT: 535 5.7.3 Authentication unsuccessful.
Sign in to comment
Sign in to answer