Outlook connection error: "User is authenticated but not connected"
It appears how TB handles IMAP connections for outlook email accounts no longer works - OAuth2 connection flow broken, and this is likely due to stricter changes made on Microsoft's backend that is impacting connections going forward.
I have multiple email accounts configured and recently, I have been bombarded by login pop up - likely related to the OAuth2 authentic process.
Whilst I was able to circumvent the authentication process - i.e. not completing the flow process entirely as it expected, newly created outlook accounts appear to reveal two things:
1] There has been a recent change to the authentication process - i.e. the telling sign.
2] There is a now deeper issue when trying to connect outlook email accounts. It seems the reason why circumvention was possible with existing accounts was because they have already passed the OAuth2 process correctly - correct tokens exist. Since this won't be the case for new outlook accounts - no OAuth IMAP access token created, above error is given.
It seems the likely cause is because Thunderbird holds or requests a token that does not contain the correct IMAP audience/scope combination, and Exchange rejects it during SASL XOAUTH2 bind.
For your information, I am using the latest versions and able to configure Apple Mail client - which uses Exchange protocol (not IMAP), without issues.
All Replies (6)
My further thoughts are that TB is failing because it is using, what has become a legacy protocol. Microsoft now requires the OAuth2 token to have:
a) Audience: https://outlook.office.com/ b) Scope: IMAP.AccessAsUser.All c) Client classification: must be recognized as a “native mail client” for IMAP.
For example, on (c), currently, I believe TB uses a generic public client registration and unable to handle passkey authentication.
Ezalaki modifié na schro.cat
My thoughts are that TB is failing because it is using, what has become a legacy protocol. Microsoft now requires the OAuth2 token to have:
a) Audience: https://outlook.office.com/ b) Scope: IMAP.AccessAsUser.All c) Client classification: must be recognized as a “native mail client” for IMAP.
For example, on (c), currently, I believe TB uses a generic public client registration and unable to handle passkey authentication.
Ezalaki modifié na schro.cat
Did you enable IMAP in outlook.com Settings/Mail/Forwarding & IMAP? When adding accounts to TB, disable account hub in Settings/General, and add from ≡ - New Account - Email.
outlook.office365.com, 993, SSL/TLS, OAuth2, email address
smtp.office365.com, 587, STARTTLS, OAuth2, email address
Thanks for your quick response.
The IMAP toggle you are referring to reverts to a disabled state after refreshing the browser, i.e., pointing out my earlier comment that MST is making IMAP connections stricter. Also, since the issue does not exist when configuring on the native mail client, I dont believe anything can be done in terms of user configuration - this issue is related to TB and I have tried to explain this. It is quite frustrating when responses are always related user configuration rather than accepting that it is an application issue.
My thoughts are that TB is failing because it is using, what has become a legacy protocol. Microsoft now requires the OAuth2 token to have:
a) Audience: https://outlook.office.com/ b) Scope: IMAP.AccessAsUser.All c) Client classification: must be recognized as a “native mail client” for IMAP.
For example, on (c), currently, I believe TB uses a generic public client registration and unable to handle passkey authentication. I suggest this is where you focus your efforts on since the rest you mentioned is all trivial and for your information, I have already been adding new accounts in the way mentioned, also the account hub being referred to was was always disabled.
Hope that helps.
I'm aware there have been some changes to OAuth2 in 148, but I just added a hotmail account using manual config., and it works as expected. Perhaps you have some external factor blocking access, such as a VPN or AV.
no I don't. older or previously created accounts that are now added to TB, is not quite the same to test this issue.
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.