FAQ - Office365 Email Configuration

Configure Nodinite email Alarm Plugins for Office365/Microsoft 365 SMTP delivery. This guide provides step-by-step configuration requirements and troubleshooting for common Office365 email issues.

Understanding SMTP Authentication Methods

Microsoft Exchange Online supports two authentication methods for SMTP. Choosing the right one from the start avoids rework and ensures long-term supportability:

Method	How It Works	Typical Requirements	Status
Basic Authentication	Username and password sent with each SMTP request using the AUTH LOGIN command	SMTP AUTH enabled per mailbox, MFA disabled, non-expiring password	⚠️ Deprecated by Microsoft
OAuth 2.0 (OpenID Connect)	Short-lived bearer token obtained from Microsoft Entra; no password transmitted over SMTP	App registration in Microsoft Entra, SMTP.SendAsApp application permission, admin consent, SMTP AUTH still enabled on sending mailbox	✅ Recommended for all new deployments

Important

Microsoft has deprecated Basic Authentication in Exchange Online. Existing configurations using Basic Auth should be migrated to OAuth 2.0. Review the Deprecation of Basic Authentication in Exchange Online announcement for the latest timeline and impact dates.

The sections below cover both methods. If you are setting up Nodinite for the first time with Office365, go directly to Using OAuth 2.0 (OpenID Connect) with Office365.

Office365 SMTP Requirements

To send emails through Office365/Microsoft 365 SMTP servers, ensure the following requirements are met:

Account Requirements

• Email sending permissions - Account must have rights to send emails
• SMTP Authentication enabled - Account must have SMTP AUTH enabled in Office365 portal (see below)
• Multi-factor authentication disabled - MFA must be disabled for the SMTP service account
• Password expiration policy - Password should never expire, OR establish a routine to update it before expiration

Network Requirements

• Outbound TCP Port 587 - Must be allowed through firewalls
• DNS Port 53 (TCP and UDP) - Must be open for hostname resolution
• SSL/TLS encryption - Must be enabled in Nodinite Email Plugin configuration

Nodinite Configuration

• Use SSL checkbox - Must be checked in the Email Alarm Plugin settings
• SMTP Server - smtp.office365.com
• Port - 587
• Username - Full email address (e.g., noreply@yourdomain.com)
• Password - Account password

Enable SMTP Authentication in Office365

SMTP Authentication must be enabled for the service account in the Office365 admin portal:

Step 1: Access Exchange Admin Center

1. Sign in to Microsoft 365 Admin Center
2. Navigate to Admin centers → Exchange
3. Go to Recipients → Mailboxes
4. Select the mailbox used for sending emails

Step 2: Enable SMTP AUTH

1. Click on the mailbox to open details
2. Select the Mail flow settings tab
3. Under Email apps, click Manage email apps settings
4. Check the box for Authenticated SMTP
5. Click Save

Example showing SMTP Authentication checkbox enabled in Office365 mailbox settings.

Important

SMTP Authentication is disabled by default in Office365. You must explicitly enable it for each mailbox that will send emails through Nodinite.

Configure Nodinite Email Alarm Plugin

Email with Options Configuration

1. Navigate to Administration → Settings → Alarm Plugins
2. Click Add to create a new Email Alarm Plugin or select an existing one
3. Configure the following settings:

Setting	Value
SMTP Server	smtp.office365.com
Port	587
Use SSL/TLS	✅ Checked (required)
Username	Full email address (e.g., noreply@yourdomain.com)
Password	Account password

4. Click Save
5. Click Test to verify email delivery

Using OAuth 2.0 (OpenID Connect) with Office365

Nodinite v7 supports OAuth 2.0 authentication for SMTP via the OpenID Authentication option in the Email with Options plugin. This is the recommended approach for Office365/Microsoft 365 as Microsoft has deprecated Basic Authentication in Exchange Online.

Tip

Using OAuth 2.0 eliminates the need to manage service account passwords, removes dependency on SMTP AUTH being enabled per-mailbox, and works with accounts that have MFA enabled. Review the Microsoft guide 'Authenticate an IMAP, POP or SMTP connection using OAuth' for background.

Step 1: Register an Application in Microsoft Entra

1. Sign in to Microsoft Entra admin center
2. Navigate to Identity → Applications → App registrations
3. Click New registration
4. Enter a name (e.g., Nodinite Email Notifications)
5. Select Accounts in this organizational directory only
6. Click Register
7. Note the Application (client) ID and Directory (tenant) ID — you will need these

Step 2: Add API Permissions

1. In the registered app, go to API permissions → Add a permission
2. Select APIs my organization uses and search for Office 365 Exchange Online
3. Choose Application permissions
4. Add the permission: SMTP.SendAsApp
5. Click Add permissions
6. Click Grant admin consent for your organization

Step 3: Create a Client Secret

1. Go to Certificates & secrets → New client secret
2. Enter a description and set an expiry period
3. Click Add
4. Copy the Value immediately — it is only shown once

Important

Set a calendar reminder before the client secret expires. When it expires, Nodinite will stop sending emails. Update the secret in both Microsoft Entra and the Nodinite plugin before expiry.

Step 4: Enable SMTP AUTH for the Sending Mailbox

Even when using OAuth, the sending mailbox must have Authenticated SMTP enabled in Exchange Online — follow Step 2: Enable SMTP AUTH above.

Step 5: Configure the Email with Options Plugin

1. Navigate to Administration → Settings → Alarm Plugins → E-mail with Options
2. Go to the SMTP Options tab
3. Configure the following settings:

Setting	Value
SMTP Server	smtp.office365.com
Port	587
Use SSL/TLS	✅ Checked (required)
Enable Authentication	✅ Checked
Authentication Type	OpenID (OAuth 2.0)
Client Id	Application (client) ID from Step 1
Client Secret	Secret value from Step 3
OpenID Endpoint Configuration	https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration (replace {tenant-id} with your Directory tenant ID)
Scope	https://outlook.office365.com/.default

4. Click Save
5. Click Test to verify email delivery

Note

The OpenID endpoint URL uses the client credentials grant flow (application permissions), not delegated user permissions. This is the correct flow for background services and daemons sending email on behalf of a mailbox.

---

Troubleshooting Common Issues

Issue: "Authentication failed"

Cause

SMTP Authentication not enabled or incorrect credentials.

Solution

1. Verify SMTP AUTH is enabled in Office365 (see Enable SMTP Authentication above)
2. Confirm username is the full email address, not just the username
3. Verify password is correct
4. Check if MFA is disabled for the account

Issue: "Connection timeout"

Cause

Firewall blocking outbound TCP port 587.

Solution

# Test connectivity to Office365 SMTP
Test-NetConnection -ComputerName smtp.office365.com -Port 587

If TcpTestSucceeded is False:

• Allow outbound TCP 587 in Windows Firewall
• Check corporate firewall rules
• Verify no proxy blocking SMTP traffic

Issue: "SSL/TLS handshake failed"

Cause

SSL checkbox not enabled or TLS version mismatch.

Solution

1. Ensure Use SSL checkbox is checked in Email Alarm Plugin
2. Verify Windows Server supports TLS 1.2 (Office365 requires TLS 1.2+)
3. Enable TLS 1.2 if needed:

# Enable TLS 1.2 in Windows
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value 1 -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value 1 -Type DWord

Restart required after enabling TLS 1.2.

Issue: "Mailbox not found"

Cause

Email address does not exist or username incorrect.

Solution

• Verify the email address exists in Office365
• Confirm username in Nodinite is the full email address
• Check for typos in email address

Issue: Password expired

Cause

Service account password has expired.

Solution

1. Reset password in Office365 admin portal

2. Update password in Nodinite Email Alarm Plugin

3. Configure password to never expire:

   • In Office365 admin center → Users → Active users
   • Select the service account
   • Click Reset password
   • Uncheck Require this user to change their password when they first sign in
   • Check Password never expires

Tip

Use a dedicated service account for Nodinite email notifications with a strong password that never expires. Avoid using personal user accounts.

DNS Resolution Issues

If you encounter DNS resolution errors:

• Verify DNS servers - Ensure Nodinite server can resolve smtp.office365.com
• Test DNS resolution:

# Test DNS resolution
nslookup smtp.office365.com

# Test with specific DNS server (e.g., Google DNS)
nslookup smtp.office365.com 8.8.8.8

See FAQ - DNS Resolution Errors for detailed DNS troubleshooting.

Multi-Factor Authentication (MFA)

Office365 accounts with MFA enabled cannot use SMTP authentication directly. You have two options:

Option 1: Disable MFA (Recommended for Service Accounts)

1. Create a dedicated service account for Nodinite email notifications
2. Disable MFA for this account only
3. Use conditional access policies to restrict access (e.g., allow only from Nodinite server IP)
4. Set password to never expire

Option 2: Use App Password (Alternative)

If MFA must remain enabled:

1. Generate an app password in Office365
2. Use the app password instead of the account password in Nodinite
3. Note: App passwords are deprecated in some Office365 plans

Warning

Microsoft is phasing out app passwords. The recommended approach is to use a dedicated service account with MFA disabled and conditional access policies for security. Note that Microsoft has also deprecated Basic Authentication in Exchange Online — review the Deprecation of Basic Authentication in Exchange Online announcement for the latest status and timelines.

Option 3: Use OAuth 2.0 — Recommended for Nodinite v7+

Switch to OAuth 2.0 (OpenID Connect) authentication in the Nodinite Email with Options plugin. This works regardless of MFA settings and is the modern, Microsoft-recommended approach. See Using OAuth 2.0 (OpenID Connect) with Office365 above for full setup instructions.

Official Microsoft Documentation

For additional configuration guidance, refer to Microsoft's official documentation:

How to set up a multifunction device or application to send email using Microsoft 365 or Office 365

Authenticate an IMAP, POP or SMTP connection using OAuth

Deprecation of Basic Authentication in Exchange Online

Configuration Checklist

Basic Authentication Checklist

Before testing with Basic Authentication, verify:

• ✅ Service account exists in Office365 with email sending permissions
• ✅ SMTP Authentication enabled in Office365 mailbox settings
• ✅ Multi-factor authentication disabled for service account
• ✅ Password never expires (or routine established for updates)
• ✅ Outbound TCP port 587 allowed in firewall
• ✅ DNS port 53 (UDP and TCP) open
• ✅ Nodinite Email Plugin SMTP Options configured with smtp.office365.com:587
• ✅ Use SSL checkbox checked
• ✅ Username is full email address
• ✅ Password is correct

OAuth 2.0 (OpenID Connect) Checklist

Before testing with OAuth 2.0, verify:

• ✅ App registration created in Microsoft Entra
• ✅ SMTP.SendAsApp application permission added and admin consent granted
• ✅ Client secret created and stored securely (shown only once at creation)
• ✅ Calendar reminder set before client secret expiry date
• ✅ SMTP Authentication still enabled on the sending mailbox in Exchange Online
• ✅ Outbound TCP port 587 allowed in firewall
• ✅ DNS port 53 (UDP and TCP) open
• ✅ Nodinite Email Plugin Authentication Type set to OpenID
• ✅ Use SSL checkbox checked
• ✅ Correct tenant ID used in OpenID Endpoint Configuration URL
• ✅ Scope set to https://outlook.office365.com/.default

Next Step

• FAQ - SSL/TLS Certificate Revocation Issues
• FAQ - DNS Resolution Errors
• Add or manage Alarm Plugin

Related Topics

• FAQ - Troubleshooting Alarm Plugins Overview
• Email with Options
• Support