This guide is specifically for customers using O365 Exchange. The issue is caused by the 'refresh' token that was set causing the secret generated for OAuth to expire. This means we need to update the secret to restart the auth process.

To check if this is the issue you are facing you can run a cron debug (link) or check your outgoing mail logs. If you see an error that states the following:

 Exchange error: <League\OAuth2\Client\Provider\Exception\IdentityProviderException> [0] invalid_grant
 copy

Then the token has expired and you will need to generate a new one.

First, we need to generate a new client secret for the app within Azure AD in Office365. To do this, login to your O365 Admin Center, then navigate to Azure Active Directory:

From here, confirm you are on Azure Active Directory, then select 'App Registrations':

You should already have an existing app created when first setting up these emails from this guide, so select the app from the list.

Make a note of the Application (client) ID here, then under Certificates & secrets, click 'New client secret'.

Once you generate a new client secret, make a note of it as this will no longer be visible when you leave this page:

Now we have the Application (client) ID and the Secret, we need to reset the OAuth2 client within Deskpro so we can replace the expired secret.

Navigate to Admin > Emails > Email Accounts, then select the email account you're having issues with.

The quickest way to reset the OAuth2 client is to change the existing Account Details from Office365 to IMAP and SMTP. Leave all the values empty, then click 'Save'.

Once you have saved the blank settings, it should remove your old credentials, so change your Account Details back to either Office365 (Exchange) or Office365 (POP3/SMTP).

You can now select the 'Use OAuth Instead' button, then select 'Get Access Token':

This should prompt you to enter the OAuth client settings, so put the Application (client) ID from O365 in the Client ID field, and your Client Secret from O365 in the Secret field, and click 'Save'.

This should now prompt you to login with your Microsoft account, so login using the credentials for the email address:

Once you've logged back in, save the changes to your email account.

In order to confirm that everything is working as expected, we now recommend performing a Cron Debug (link) on the server to confirm emails are now being processed and you're no longer hitting the invalid_grant error which is causing this issue.

After updating your token if you get an error like the example below in the cron debug:

[RawExchangeTransport] The user account which was used to submit this request does not have the right to send mail on behalf of the specified sending account., Cannot submit message.
 copy

This error usually displays if the account logged in doesn’t have a license or a mailbox.

When updating your OAuth secret and renewing the token you will have authenticated with an admin account which doesn’t have a mailbox attached, and not the email account Deskpro is monitoring.

To resolve this we recommend opening Deskpro in a fresh incognito window (using a login token if you use SSO), and office.com in a second tab within the same incognito window.

If you go to Admin > Emails > Email Accounts, then select the first email account. Move over to your office.com tab and login with the credentials of that first email account.

Once you’re logged in, go back to the Deskpro tab, and click Reset Access Token

Then click Get Access Token

Once it’s updated, click Save to save the new token.

If you have any other email accounts, log out of the office.com tab and repeat the process, entering the relevant credentials in the office.com tab for each individual account.