SMTP configuration with Exchange Online OAuth2 fails: Invalid client secret provided

Author: Fabrizio Antonioli
Date: 23 Sep 2025
Audience: Administrators
Environmental Details: Self-hosted

Summary

When configuring Jama Connect® to send emails through Microsoft Exchange Online with OAuth2 authentication, you may encounter this error:

Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID.

This issue occurs when:

The Client Secret ID or an OAuth access token is mistakenly entered into Jama Connect instead of the Client Secret Value.
The app registration has only Graph Mail.Send permission, which does not support SMTP AUTH.
The OAuth scope is set incorrectly (e.g.: Graph API scope instead of Exchange Online).

Log in to the Azure portal.
Go to App registrations and select or create an application for Jama Connect.
Under Certificates & Secrets:
- Create a Client Secret.
- Copy and save the Client Secret Value (this is only shown once).
- Do not use the Client Secret ID, Jama Connect requires the value.
Under API permissions:
- Add permission for Office 365 Exchange Online > Application Permissions > SMTP.Send.
- Grant Admin Consent.
- Note: 'Mail.Send' is a Microsoft Graph permission and will not work for SMTP AUTH.

In the root admin console, go to System Properties > Outgoing Email (SMTP) and make sure your configuration looks like this:

SMTP Host: smtp.office365.com
Port: 587
Is TLS Enabled: True
Is SASL XOAauth2 Enabled: true
Username: The mailbox email address Jama Connect should send from
Password: Paste the Client Secret Value (not an access token, not the secret ID)
OAuth Client ID: From Azure App Registration
OAuth Authority: https://login.microsoftonline.com/<tenant_id>/v2.0
OAuth Scope: https://outlook.office365.com/.default

Save and use Test Email to verify the configuration.

Feedback:
Have suggestions or improvements? Please leave your feedback in the comments section below.