A working scan to email setup for Microsoft 365 using OAuth
Microsoft retired basic SMTP auth for Exchange Online in 2023. The working replacement is OAuth 2.0 — this guide walks through Entra ID app registration, MFP configuration, and the gotchas that consume IT time during setup.
Why this setup matters now
Exchange Online no longer accepts username/password SMTP authentication. Any MFP scan-to-email going through Microsoft 365 must use OAuth 2.0 or the High Volume Email service. For modern MFPs (2023+ firmware) OAuth is the supported path.
The OAuth setup is more involved than the legacy username/password approach but produces a far more secure result: the MFP authenticates with a tenant-registered application credential, the credential can be revoked centrally without changing user passwords, and the connection survives password rotations indefinitely. The setup runs across three systems — Entra ID admin centre, Exchange admin centre, and the MFP web interface — so coordination between roles matters.
The three setup stages
Entra ID app registration
Register an application in Entra ID with the appropriate Microsoft Graph or Exchange Online permissions for sending mail.
Exchange Online configuration
Configure the mailbox the MFP will send from, grant the app permission to send as that mailbox, and confirm sending policies allow it.
MFP configuration
Configure the MFP's SMTP settings to authenticate using the OAuth credentials from the registered app.
Stage 1: Register the application in Entra ID
Sign in to the Entra ID admin centre
Navigate to entra.microsoft.com with Global Administrator or Application Administrator role. Open Applications → App registrations.
Register a new application
Click "New registration". Name: MFP-ScanToEmail or similar. Supported account types: "Accounts in this organizational directory only". Redirect URI: leave blank for daemon-style applications. Click Register.
Record the Application (client) ID and Directory (tenant) ID
The Overview page shows both IDs. Copy them to a temporary document — the MFP needs both during configuration.
Create a client secret
Open Certificates & secrets → New client secret. Name: MFP scan secret. Expiry: 24 months (rotate before expiry to avoid service interruption). Click Add. Copy the secret VALUE immediately — it cannot be retrieved later.
Grant API permissions
Open API permissions → Add a permission → Microsoft Graph → Application permissions. Add Mail.Send (or Mail.Send.Shared if sending from a shared mailbox). Click "Grant admin consent" — required for application-level permissions to take effect.
Stage 2: Configure the Exchange mailbox
Identify or create the scan mailbox
The scan-to-email sender should be a dedicated mailbox like scans@empresa.com rather than a personal user mailbox. Create the mailbox in Exchange admin centre if it does not exist.
Restrict the app to send only as the scan mailbox
By default, the granted Mail.Send permission allows sending from any mailbox in the tenant. Restrict to just the scan mailbox using PowerShell ApplicationAccessPolicy: connect with Connect-ExchangeOnline, then New-ApplicationAccessPolicy -AppId <client_id> -PolicyScopeGroupId scans@empresa.com -AccessRight RestrictAccess -Description "MFP scan policy".
Verify with Test-ApplicationAccessPolicy
Run Test-ApplicationAccessPolicy -Identity scans@empresa.com -AppId <client_id> — the result should show "Granted". Then test with a different mailbox identity — the result should show "Denied". This confirms the policy locks the app to just the scan mailbox.
Stage 3: Configure the MFP
Open the MFP SMTP settings page
Browse to the device's web admin interface, locate SMTP or scan-to-email configuration. Look specifically for an "OAuth 2.0" or "Modern Authentication" option — older firmware may not offer this and would require a firmware update before continuing.
Configure SMTP server connection
SMTP server: smtp.office365.com. Port: 587. Encryption: STARTTLS. Authentication type: OAuth 2.0 (not username/password).
Enter the OAuth credentials
Tenant ID: from Stage 1. Client ID: from Stage 1. Client secret: from Stage 1. The "from address" field: the scan mailbox address (scans@empresa.com).
Save and trigger token acquisition
Some MFPs acquire the OAuth token on first send; others have an explicit "Test" or "Authenticate" button. Run the test. The device should report successful authentication within 10-20 seconds.
Send a test scan to verify end-to-end
From the device touchscreen, scan a page to your own email. Check the email arrives, the From address shows the scan mailbox, and the attachment is intact.
The configuration values reference
Port→587 (STARTTLS)
Encryption→STARTTLS required
Auth type→OAuth 2.0 (NOT username/password)
Tenant ID→from Entra ID app overview
Client ID→from Entra ID app overview
Client secret→generated in Entra ID app secrets
From address→scans@empresa.com (the dedicated mailbox)
Token endpoint→login.microsoftonline.com (default)
Common OAuth setup issues
What can go wrong
- Admin consent not grantedThe Mail.Send permission shows as "Granted for <tenant>" only after an admin clicks "Grant admin consent". Verify the API permissions page shows the green check mark.
- ApplicationAccessPolicy applied but takes time to propagateThe policy can take up to 60 minutes to fully apply. Wait an hour after running New-ApplicationAccessPolicy before testing.
- MFP firmware does not support OAuth 2.0Older firmware (typically pre-2022) supports only basic auth. Update to current firmware or accept that the device cannot use M365 SMTP and route through an SMTP relay instead.
- Client secret expiredSecrets expire on their configured date. Set a calendar reminder 30 days before expiry to generate a fresh secret and update the MFP configuration.
- From address blocked by SPF/DMARCIf sending from a domain not associated with the M365 tenant, SPF and DMARC may reject the messages. Ensure From address uses a verified domain in the M365 tenant.
- Token refresh failuresOAuth tokens expire and refresh automatically. If refresh fails (often due to client secret expiry or revoked admin consent), the next scan email fails until configuration is updated.
Alternative: direct send connector for higher volume
For environments sending hundreds of scan emails daily, M365 supports a direct send model where the MFP authenticates to an inbound connector configured in Exchange Online with IP-based restrictions instead of OAuth. This works well for static IP environments but is more brittle than OAuth — IP changes break authentication. For most office MFPs, OAuth is the more durable choice.
Security considerations worth recording
Record the OAuth credentials in the office's IT credential vault (not a shared spreadsheet). Set a calendar reminder for client secret expiry. Restrict the registered application to just the scan mailbox via ApplicationAccessPolicy. Monitor sign-in logs in Entra ID for the registered application — unusual authentication patterns may indicate the credential was compromised. Rotate the client secret annually as part of normal credential hygiene.