OAuth 2.0 IMAP/SMTP scopes – Outlook endpoint fails, Graph succeeds but mail setup still breaks

💬 General Discussion
1

We’re trying to connect personal Office 365 mailboxes to SuiteCRM 8 (Bitnami Docker image, PHP 8.1) using Microsoft OAuth 2.0.
The Azure AD app authorisation flow completes and tokens are issued.

What works
• Authorisation flow finishes when we request Microsoft Graph scopes

offline_access email IMAP.AccessAsUser.All Mail.Read …

SuiteCRM stores a valid access/refresh token in external_oauth_tokens.

•	All other CRM functions appear normal.

What doesn’t
• If we switch to the Outlook-resource scopes required for IMAP/SMTP

https://outlook.office.com/IMAP.AccessAsUser.All
[…]
offline_access

the redirect to
index.php?entryPoint=setExternalOAuthToken
returns “Not able to get access token. Check logs for more details.”

•	Keeping the Graph scopes instead lets the token be saved, but the personal mailbox wizard fails on Test Settings with

IMAP open error: Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed.

Log excerpt:
ImapHandler:open: {outlook.office365.com:993/service=imap/ssl/tls/validate-cert/secure}INBOX
ImapHandler:open: user@example.com
IMAP open error: Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed.

Reproduction steps

  1. External OAuth Connection (Admin → OAuth Keys)
    • Authorise / Token URLs: https://login.microsoftonline.com//oauth2/v2.0/
    • Redirect URI: https://crm.example.com/index.php?entryPoint=setExternalOAuthToken
    • Scopes: see above.
  2. Click Connect
    • Graph scopes ⇒ consent succeeds, token saved
    • Outlook scopes ⇒ “Not able to get access token”.
  3. User Profile → Email Settings → Create personal mailbox
    • Server outlook.office365.com, port 993, SSL, OAuth.
  4. Click Test Settings ⇒ error shown.

Verified
• App has delegated permissions and admin consent.
• OAuth 2.0 access to IMAP/SMTP is enabled in the tenant.
• Container clock drift < 1 s.
• No conditional-access policy blocking legacy protocols.

Questions

  1. Does SuiteCRM require the Outlook-resource scopes (and not Graph) for IMAP/SMTP?
  2. Is the “Not able to get access token” error with Outlook scopes a known issue?
  3. Are there any workarounds or additional configuration steps we might be missing?

Happy to provide extra logs or test patches as needed.
Thanks for your help!

Best regards,

2

You’re running into a known limitation: Microsoft Graph does not support IMAP/SMTP access — only the legacy Outlook scopes (https:// outlook .office .com/…) do. However, Microsoft is phasing out support for these Outlook-specific scopes and sometimes blocks token issuance depending on tenant settings. To resolve this, ensure the Azure AD app is using delegated Outlook scopes (not Graph), has mailbox access enabled for these protocols in Microsoft 365 admin center, and that SMTP/IMAP OAuth support is explicitly enabled per mailbox via PowerShell (Set-CASMailbox). Also, double-check if Modern Auth is enabled and there’s no Conditional Access policy blocking legacy resource scopes.

1 Like