Microsoft 365 / Outlook
Microsoft accounts come in two flavors:
- Personal Outlook.com / Hotmail / Live — the consumer accounts you sign up for at outlook.com.
- Microsoft 365 (Exchange Online) — organizational accounts tied to a tenant (
@yourcompany.com), managed in the Microsoft 365 admin center.
The SMTP setup differs significantly between the two. Read the section that matches your account type.
Important: Basic Auth Deprecation Timeline
Microsoft has announced the permanent removal of Basic Authentication for SMTP submission in Exchange Online (organizational Microsoft 365) through 2026. Beginning March 1, 2026, Microsoft begins rejecting Basic Auth SMTP submissions; by April 30, 2026, rejection reaches 100%. App Passwords for organizational accounts also rely on Basic Auth and stop working at the same time.
What this means:
- Organizational M365 accounts must move to OAuth 2.0 for SMTP if they want to keep sending via SMTP at all.
- Consumer Outlook.com accounts are not affected by the Exchange Online deprecation; the App Password path continues to work for personal accounts.
If you’re on a personal account, follow Path A. If you’re on a Microsoft 365 organizational account, you’ll need Path B.
Path A — Personal Outlook.com / Hotmail / Live
1. Turn on Two-Step Verification
- Sign in at account.microsoft.com.
- Open Security → Two-step verification and turn it on. Follow the prompts.
2. Generate an App Password
- With 2FA enabled, in the same Security area, open App passwords (under “Advanced security options” or “Manage how I sign in”).
- Click Create a new app password.
- Copy the generated value immediately.
3. Configure the Email Destination in Xenocept
Open the Xenocept Settings UI → Destinations → New Destination → Email. Fill in:
| Field | Value |
|---|---|
| SMTP Host | smtp-mail.outlook.com |
| SMTP Port | 587 |
| Security | STARTTLS |
| Username | Your full Outlook.com / Hotmail / Live address |
| Password | The App Password from step 2 |
| From | Same as Username |
| To | Where you want sessions delivered |
Save the destination and submit a test session.
Path B — Microsoft 365 (Exchange Online, organizational)
For organizational Microsoft 365, SMTP authentication requires OAuth 2.0 via an Azure-registered application. This is non-trivial; budget an hour for first-time setup.
What You’ll Need
- Tenant Admin access (or admin help) to consent to API permissions.
- An Azure App Registration with the right permissions.
- A Client ID, Client Secret, and Tenant ID to give to Xenocept’s Email destination — assuming Xenocept’s Email plugin supports OAuth 2.0. If it doesn’t, consider either (a) running a local relay with macOS Postfix configured for OAuth, or (b) using Microsoft’s High Volume Email or Azure Communication Services Email instead of standard SMTP.
Steps
-
Register an app in Microsoft Entra.
- Sign in at portal.azure.com.
- Navigate to Microsoft Entra ID → App registrations → New registration.
- Name it “Xenocept Email” (or similar).
- Supported account types: Accounts in this organizational directory only (single tenant) is fine for internal use.
- Click Register. Note the Application (client) ID and Directory (tenant) ID that appear.
-
Create a client secret.
- In your new app’s Certificates & secrets blade, click New client secret, set an expiry, and copy the secret value immediately — Azure only shows it once.
-
Add API permissions.
- In API permissions, click Add a permission → APIs my organization uses → search Office 365 Exchange Online.
- Choose Application permissions (for client-credentials flow) and select SMTP.SendAsApp.
- Back on the API permissions list, click Grant admin consent (a tenant admin must do this).
-
Service-principal mailbox permission (Exchange admin step).
- In an Exchange Online PowerShell session, register the service principal and grant
SendAson the mailbox you’ll be sending from. Microsoft’s authoritative walkthrough is at Authenticate an IMAP, POP or SMTP connection using OAuth.
- In an Exchange Online PowerShell session, register the service principal and grant
-
Token endpoint and scope.
- Token endpoint:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token - Scope:
https://outlook.office365.com/.default - SMTP server:
smtp.office365.com:587, STARTTLS,XOAUTH2mechanism.
- Token endpoint:
-
Configure Xenocept.
- Open Settings → Destinations → New Email destination.
- Enter SMTP host
smtp.office365.com, port587, securitySTARTTLS. - Authentication: provide the client ID, client secret, tenant ID, and target mailbox address — if the Email plugin’s UI exposes OAuth fields. If it only takes a plain SMTP password, this path will not work and you’ll need a local relay or one of Microsoft’s alternative APIs.
Common Issues
- “5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled.” Your tenant has SMTP AUTH disabled tenant-wide. Re-enable it in the Exchange admin center, or on a per-mailbox basis with
Set-CASMailbox. - App Passwords disappear after 2026. If you previously used an App Password against Office 365 SMTP, that path is being removed; OAuth 2.0 is the replacement.
- Service principal not provisioned. Step 4 is the one most people skip — without it, OAuth permissions look right in Azure but the SMTP server rejects the token.
When in Doubt
If your needs are “I want to email myself / a teammate occasionally” and your organization permits it, the easiest practical path on M365 is to set up a personal Outlook.com account or a free Gmail account dedicated to Xenocept and use Path A from that account or Gmail instead. The OAuth path is real but heavy for casual use.