Configure SMTP AUTH Client Submission using OAuth: Send Test Email Using OAuth (Exchange Online)

Tawsif Mulani
Jan 10
4 min read

A step-by-step guide to send mail using SMTP Auth + OAuth.

For years, Basic Authentication has been the quiet workhorse behind countless SMTP integrations — simple, predictable, and admittedly a little outdated. But as Microsoft tightens security across the Microsoft 365 ecosystem, Basic Auth for SMTP is finally reaching its end of life. The message is clear: it’s time to move to OAuth 2.0.

Most admins already know how to configure OAuth for SMTP. Microsoft’s documentation lays out the steps: register an app, assign permissions, generate a token, update your code. Straightforward enough.

But here’s the real challenge — how do you test SMTP OAuth before rolling it out in production?

Because let’s be honest:

You don’t want to break a live mail flow.
You don’t want to deploy untested code.
And you definitely don’t want to troubleshoot OAuth token issues at 2 AM when your application stops sending emails.

That’s exactly where this guide comes in.

In this blog, we’ll walk through a practical, repeatable way to test SMTP OAuth end‑to‑end — without touching production. Think of it as your personal SMTP OAuth “sandbox”: perfect for validation, perfect for troubleshooting, and perfect for avoiding surprises later.

High‑Level Architecture (Simple Explanation)

Before we get into the code, let’s quickly understand how everything fits together. I promise — nothing here is scary.

Components involved

Azure AD App Registration and Permission (not covered in this page.)
HTML Front-End A small web page with a form where the user enters:
- To
- Subject
- Body
That’s it. Just a simple form.
Node.js Backend This is the part that runs on the server.
And don’t worry — even if you’ve never heard of Node.js, it’s completely fine.
Just think of it as the helper that does all the behind‑the‑scenes work.
It handles four things:
- Shows the HTML page to the user
- Receives the form data when the user clicks Send
- Uses the Azure AD app (created in Part 1) to get an OAuth2 token
- Uses Nodemailer to send the email through smtp.office365.com using XOAUTH2
So Node.js is basically the messenger between your form (HTML page) and Microsoft 365.

How the flow works

The user opens the website and fills out the form.
When they click Send, Node.js asks Azure AD for an access token.
Node.js then connects to smtp.office365.com using XOAUTH2 and sends the email as User@yourdomain.com.

Build the Test Tool (Very Simple Steps)

Create the project folder First, create a new folder anywhere on your computer.

This folder will contain all your files.
Example folder structure:

Name-your-project-folder/
index.html
server.js

Open the folder in a command prompt or PowerShell. You can use PowerShell or Command Prompt.
Example:
cd "C:\Path\To\your-project-folder"
Before continuing: Install Node.js (very simple)
If you don’t have Node.js installed:
1. Download the LTS (Recommended) version.
2. Run the installer:
3. Click Next
  - Accept the license
  - Keep all default settings
  - Make sure “Add to PATH” is checked
  - Finish installation
4. Close PowerShell/Command Prompt and open it again.
Initialize Node.js and install required packages From PowerShell or Command Prompt, inside your project folder, run:
Step 1: Create a basic Node.js project
npm init -y
This creates package.json automatically.
Step 2: Install the packages we need
npm install express body-parser nodemailer @azure/msal-node
These packages help us:
- run a small web server
- read form data
- send email
- get OAuth tokens
Create the HTML page (index.html) Create a file named index.html and simply paste below:
<!DOCTYPE html>
<html>
<head>
    <title>Send Email via EXO OAuth SMTP</title>
</head>
<body>
    <h2>Send Email using SMTP OAuth2</h2>
    <form action="/send" method="POST">
        <label>To:</label><br>
        <input type="email" name="to" required><br><br>
        <label>Subject:</label><br>
        <input type="text" name="subject" required><br><br>
        <label>Body:</label><br>
        <textarea name="body" rows="6" cols="40"></textarea><br><br>
        <button type="submit">Send Email</button>
    </form>
</body>
</html>
This is a simple form.
When you click Send Email, it sends the data to /send on the server.
Create the backend (server.js) Create a file named server.js and paste below: Important values you must update in below code
1. tenantId → Your Azure AD Tenant ID
2. clientId → Your App Registration’s Client ID
3. clientSecret → Your App Secret
4. fromAddress → The mailbox you want to send from
  //++++++++++++++++++++++++++++++++++++++++++++++++
  const express = require("express");
  const bodyParser = require("body-parser");
  const nodemailer = require("nodemailer");
  const { ConfidentialClientApplication } = require("@azure/msal-node");
  
  const app = express();
  app.use(bodyParser.urlencoded({ extended: true }));
  
  // -----------------------------
  // CONFIGURATION
  // -----------------------------
  const tenantId = "YOUR_TENANT_ID"; const clientId = "YOUR_CLIENT_ID"; const clientSecret = "YOUR_CLIENT_SECRET"; const fromAddress = "User@yourdomain.com"; // EXO mailbox
  
  // MSAL OAuth2 Client
  const msalConfig = {
      auth: {
          clientId: clientId,
          authority: `https://login.microsoftonline.com/${tenantId}`,
          clientSecret: clientSecret
      }
  };
  
  const cca = new ConfidentialClientApplication(msalConfig);
  
  // -----------------------------
  // GET ACCESS TOKEN
  // -----------------------------
  async function getAccessToken() {
      const tokenRequest = {
          scopes: ["https://outlook.office365.com/.default"]
      };
  
      const response = await cca.acquireTokenByClientCredential(tokenRequest);
      return response.accessToken;
  }
  
  // -----------------------------
  // SEND EMAIL ROUTE
  // -----------------------------
  app.post("/send", async (req, res) => {
      try {
          const { to, subject, body } = req.body;
  
          const accessToken = await getAccessToken();
  
          const transporter = nodemailer.createTransport({
              host: "smtp.office365.com",
              port: 587,
              secure: false,
              auth: {
                  type: "OAuth2",
                  user: fromAddress,
                  accessToken: accessToken
              }
          });
  
          await transporter.sendMail({
              from: fromAddress,
              to: to,
              subject: subject,
              text: body
          });
  
          res.send("Email sent successfully!");
      } catch (err) {
          console.error(err);
          res.status(500).send("Error sending email: " + err.message);
      }
  });
  
  // -----------------------------
  // SERVE HTML FILE
  // -----------------------------
  app.get("/", (req, res) => {
      res.sendFile(__dirname + "/index.html");
  });
  
  // -----------------------------
  app.listen(3000, () => console.log("Server running on http://localhost:3000")); //++++++++++++++++++++++++++++++++++++++++++++++++
Run the server In the PowerShell/ Command Prompt, inside your project folder, run:

node server.js
You should see:
Server running on http://localhost:3000
Now open your browser and go to:
http://localhost:3000

Fill the form → click Send Email → your test email is sent using SMTP OAuth.

This concludes the setup for sending test emails using OAuth with Client Submission (SMTP AUTH). With this configuration in place, you can now validate authentication, troubleshoot issues, and ensure your integration works as expected.

High‑Level Architecture (Simple Explanation)

Comments