How to troubleshoot authentication failure error, while configuring Microsoft OAuth in Mail Server settings?
How to Fix 535 5.7.139 Authentication unsuccessful Error?
Error 535 5.7.139 is the response received from Mail Server when you are trying to send an email via SMTP Authentication, but your connection was not accepted as the authentication had failed.
Given below are some examples of the error message,
- 535 5.7.139 the user credentials were incorrect
- 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator.
- 535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit https://aka.ms/smtp_auth_disabled for more information.
In some cases, even if the telnet connection was successful, the mail server might throw an authentication error, so the user could not send mails.
What causes this error?
Microsoft no longer supports Basic Authentication, and it has disabled SMTP AUTH in all tenants in which it's not being used. This is done to force customers to move from apps that use basic authentication to Modern authentication[OAuth 2.0]. Check Microsoft's Deprecation of Basic Authentication Documentation for more details.
Since SMTP AUTH has been disabled, 535 5.7.139 Authentication unsuccessful error will come up, even when proper credentials are used.
Solution:
If Modern Authentication(OAuth) has been enabled at your mail server, SMTP AUTH can be enabled and used without any security threats. We support OAuth 2.0 from version 126306. Click here for more info
Use the new Exchange Admin Center to enable SMTP AUTH globally
- Login to or navigate to the new Exchange Admin Center.
- Go to the Mail Flow settings page under Settings
- Uncheck the setting labeled "Turn off SMTP AUTH protocol for your organization"
To enable SMTP AUTH on specific mailboxes
- Open the Microsoft 365 admin center and go to Users -> Active users.
- Select the user, and in the flyout that appears, click Mail.
- In the Email apps section, click Manage email apps.
- Verify the Authenticated SMTP setting: unchecked = disabled, checked = enabled.
- When you're finished, click Save changes.
How to fix 535 5.7.3 Authentication unsuccessful Error?
Authentication Unsuccessful
Please verify the username and password.
Cause:
- The username provided to the selected OAuth Provider was incorrect.
- The user lacks permission to access the registered application.
- API permissions in the Registered application do not grant sufficient access.
Possible Workarounds:
- Ensure the email ID used to save OAuth Provider Settings matches the one in the User Name field of Mail Server Settings to avoid authentication failure.
- When saving OAuth settings, the Microsoft signing portal will generate an access token mapped to the provided email ID. This token is used for authentication in Mail Server Settings.
- The same email address used to save the OAuth Provider Settings should be given in User Name field of Mail Server Settings page
- If the admin's email used for consent cannot be provided in Mail Server settings, due to the customer's organization policy refer to the alternative in the attached image.
- If the registered application is single tenant, make sure to include the tenant ID in the Authorization URL and Token URL in OAuth Provider settings. Without this, the application won't have permission for user access. Using "common" URLs will result in authentication failure.
- Copy the OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) URLs from Azure Portal > Registered application > Overview > EndPoints. Paste these URLs in the respective fields of OAuth Provider Settings, save, and then test the mail.
- If your organization policy requires consent for API permissions, an authentication failure may occur.
- To resolve this, log in to Azure Portal, go to Registered application > API Permissions > Add Permissions > Delegated Permissions. Search for SMTP.Send and offline_access, select "Add permissions."
- Once listed, click "Grant admin consent for <domain name>" and choose "Yes".
Important Note: Any changes in permissions made in Azure Portal / Microsoft Admin Center may take 15 minutes to 1 hour or more to reflect, depending on the organization's account. Please wait until then before testing in OpManager.