Microsoft OAuth Authentication and Thunderbird in 2024
Revision Information
- Revision id: 275525
- Created:
- Creator: Roland Tanglao
- Comment: disclaimer that things could break, add cookies and 2fa note
- Reviewed: Yes
- Reviewed:
- Reviewed by: rtanglao
- Is approved? Yes
- Is current revision? No
- Ready for localization: No
Revision Source
Revision Content
Microsoft has made some changes to authentication for their hosted email services for business and academic accounts. This article describes these changes and how to adjust to them.
Table of Contents
- 1 Changes to Authentication
- 2 Changes or Problems You May Encounter
- 2.1 Your Outlook or Hotmail password no longer works with Thunderbird and you cannot send or receive email.
- 2.2 A screen that indicates IT administrator approval is required for the app
- 2.3 An account worked on Thunderbird 102.6.1, but does not work on 102.7.1 or later
- 2.4 IMAP/POP3 work, but SMTP does not work
- 2.5 Calendar does not work
- 3 Where to Get Help
Changes to Authentication
Microsoft has instituted the following changes:
- Deprecated basic authentication (username/password), and is instead now requiring OAuth authentication.
- In some cases, SMTP authentication has been completely disabled. For new accounts, SMTP always starts disabled. In addition, there are some restrictions on SMTP that are not currently understood.
Microsoft have also changed the way they classify certain clients, and Thunderbird’s previous OAuth setup does not properly qualify as a desktop client. As a result, we have been forced to make configuration changes to Thunderbird, which may have side effects for users.
Changes or Problems You May Encounter
For outlook.com, hotmail.com, Microsoft 365 (formerly known as Office 365 and often abbreviated as “o365”) or other Microsoft-hosted email services, you may see the following issues:
Your Outlook or Hotmail password no longer works with Thunderbird and you cannot send or receive email.
- Solution: First, ensure that cookies are for Microsoft's hotmail and outlook.com websites (e.g. office365.com) are enabled for your default browser (for Firefox see Websites say cookies are blocked - Unblock them), otherwise you will not be able to login to hotmail or outlook using OAuth2. Second, ensure two factor authentication is on for your Microsoft account (see Microsoft's Knowledge Base article: How to use two-step verification with your Microsoft account). Finally, change Authentication method to OAuth2 from Normal Password for both IMAP (or POP) and SMTP.
- IMAP (or POP): Click outlook.com or hotmail.com account > select Authentication method: (instead of Normal password).
-
- SMTP:
- Click outlook.com or hotmail.com account e.g. thunderbirdrocks@hotmail.com >
-
- Select Authentication method:
-
- Click outlook.com or hotmail.com account e.g. thunderbirdrocks@hotmail.com >
A screen that indicates IT administrator approval is required for the app
- You must ask your administrator to authorize Thunderbird - approval must be done, but only once.
Per Microsoft documentation, administrators should visit https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id=9e5f94bc-e8a4-4e73-b8be-63364c29d753 and grant the following permissions in order to authorize Mozilla Thunderbird: IMAP.AccessAsUser.All, POP.AccessAsUser.Al, SMTP.Send and offline_access
An account worked on Thunderbird 102.6.1, but does not work on 102.7.1 or later
- Please try signing in with a new Thunderbird profile (see Profile Manager - Create and remove Thunderbird profiles for instructions on how to create a new profile). If a new Thunderbird profile works, then for most people it is best to continue using the new profile. More technical folks with other config editor changes: Use the Thunderbird profile manager to switch back to the old Thunderbird profile and use the config editor (see Config Editor) to filter for oauth2, find the appropriate server(s), and delete the entries for oauth2.issuer and auth2.scope
- Otherwise, ask for support.
IMAP/POP3 work, but SMTP does not work
- If you have an Microsoft 365 business account, ensure that SMTP Authentication is enabled or ask your IT administrator to check and turn it on if disabled. Microsoft has some instructions in their article: Enable or disable authenticated client SMTP submission (SMTP AUTH) in Exchange Online
- If you have a Microsoft 365/hotmail/etc personal account, use basic authentication (Microsoft’s guide on how to change this).
Calendar does not work
- Thunderbird does not support Exchange calendars. If you are using an add-on or other software to enable calendar, then you will need to seek support from the author of that add-on or software.
Where to Get Help
- If you are a user within a business or academic institution that provides Microsoft accounts, you should seek assistance within your organization.
- If you have a personal account through one of Microsoft's hosted services, ask for support.