Use Microsoft 365 to send and receive emails in Mojo

Mojo Helpdesk can retrieve emails from a Microsoft 365 mailbox and create tickets automatically. It uses OAuth2 for secure authentication, IMAP for receiving emails, and SMTP for sending them. No passwords are stored.

Prerequisites

A Microsoft 365 account (Business Basic, Business Standard, or Enterprise)
Admin access to the Microsoft 365 tenant, or permission to consent to third-party apps. The sign-in credentials for the mailbox account itself (e.g. support@newco.com) are also required, not just the admin account.
Authenticated SMTP enabled for the mailbox (see Step 1)

Step 1: Enable Authenticated SMTP in Microsoft 365 Admin Center

Microsoft disables Authenticated SMTP by default. Enable it for the mailbox before configuring Mojo.

Sign in to the Microsoft 365 admin center at https://admin.microsoft.com
Go to Users > Active users.
Select the mailbox to use (e.g. support@newco.com).
Click the Mail tab.
Under Email apps, click Manage email apps.
Check Authenticated SMTP and click Save changes.

This change may take a few minutes to take effect.

Step 2: Configure the mail server in Mojo Helpdesk

Go toAdmin > Channels > Email > Server configuration.
Select Use my own mail server and follow the on-screen guide.
For incoming mail (IMAP), enter:

IMAP server: outlook.office365.com
Username: your Microsoft 365 email address
Port: 993 (SSL)

For outgoing mail (SMTP), enter:

SMTP server: smtp.outlook.com
Port: 587 (TLS)

When a Microsoft 365 IMAP server is detected, Mojo hides the password fields. Authentication is handled through OAuth2 in the next step.

Step 3: Connect with Microsoft 365

First, have a Microsoft 365 admin click "Connect with Microsoft 365" and sign in with their admin account to grant consent for the organization. Mojo will show a warning that the signed-in account doesn't match the mailbox — this is expected.
Then, click "Connect with Microsoft 365" again (a button will appear in the warning banner) and this time sign in as the mailbox account (e.g. support@newco.com). Since consent was already granted by the admin, no additional approval will be needed.

Tip: Use a private/incognito browser window when connecting to avoid being automatically signed in with the wrong Microsoft account.

Click Connect with Microsoft 365. Mojo redirects to Microsoft's sign-in page.
Sign in with the mailbox account (e.g. support@newco.com), not a personal admin account. The sign-in page pre-fills the mailbox address to help select the correct account.
Review the requested permissions and click Accept.
Mojo redirects back and sends a test email to verify the setup. A confirmation message appears and the mail server status shows Server is sending emails successfully if the connection succeeds.

If the mailbox account cannot grant consent: some Microsoft 365 tenants require admin consent for third-party apps. If the mailbox user sees a "Need admin approval" message, two steps are required:

Have a Microsoft 365 admin click Connect with Microsoft 365 and sign in with their admin account to grant consent for the organization. Mojo shows a warning that the signed-in account does not match the mailbox. This is expected.
Click Connect with Microsoft 365 again (a button appears in the warning banner) and sign in as the mailbox account. Consent was already granted by the admin, so no additional approval is needed.

Use a private or incognito browser window when connecting to avoid being signed in automatically with the wrong Microsoft account.

Step 4: Verify the setup

After connecting, check the Server configuration page:

Sending status: displays "Server is sending emails successfully" with the date of the last sent email.
Receiving status: displays "Server is receiving emails successfully" after the first email is fetched. This may take a few minutes.
OAuth2 badge: a "Microsoft 365 OAuth2" badge appears next to the server information, confirming OAuth2 authentication is active.

If the test email fails, an error message appears. Fix the underlying issue and select Send test email from the dropdown menu to retry.

Step 5: Configure DKIM, SPF, and DMARC for Your Domain

To ensure reliable email delivery and protect your domain from spoofing, configure DKIM, SPF, and DMARC records in your DNS provider. See Configure DKIM, SPF, and DMARC for a step-by-step guide.

For Microsoft 365 specifically, enable DKIM signing in the Microsoft 365 Defender portal under Email authentication settings, and ensure your SPF record includes include:spf.protection.outlook.com.

How it works

Mojo uses OAuth2 rather than username and password authentication to connect to Microsoft 365.

No passwords are stored. Mojo uses secure access tokens granted by Microsoft.
Tokens refresh automatically. Mojo refreshes the access token before it expires, so the connection stays active without manual intervention.

Reconnect at any time. If the OAuth2 connection breaks due to a password change or revoked consent, use Reconnect with Microsoft 365 in the dropdown menu to re-authorize.

Removing or changing the mail server

Change to Mojo Helpdesk email service: switches the account back to Mojo's built-in email service. Microsoft 365 settings are preserved in case of a future switch. Active sending and receiving warnings are cleared automatically.
Erase settings: permanently deletes the mail server configuration, including all OAuth2 tokens. The account reverts to Mojo's built-in email service. Use this for a clean start or to configure a different mail server.

Mojo stops using Microsoft 365 for sending and receiving emails immediately after either action.

Troubleshooting

"Authenticated SMTP" error or timeout when sending emails

Verify that Authenticated SMTP is enabled for the mailbox in the Microsoft 365 admin center (see Step 1). Changes may take a few minutes to propagate.

If Authenticated SMTP is enabled but sending still times out, check the following:

Security Defaults: if enabled in Azure AD (Entra ID), it blocks SMTP AUTH. Check at entra.microsoft.com > Identity > Overview > Properties > Manage security defaults.
Organization-level SMTP AUTH: the org-wide setting may override the per-mailbox setting. Check in Exchange Admin Center under Settings > Mail flow.
Conditional Access policies: policies blocking "Other clients" or legacy authentication may interfere. Add the mailbox as an exclusion if needed.

After making changes, wait 15 to 30 minutes for propagation, then click Reconnect with Microsoft 365.

"You signed in as '...' but the mailbox is configured for '...'" error

The Microsoft account used during sign-in does not match the mailbox configured in Mojo. This commonly happens when an admin signs in to grant consent.

Click Connect with Microsoft 365 in the warning banner on the configuration page.
Sign in with the mailbox account (e.g. support@newco.com). If an admin already granted consent, that step is complete and will not be required again.
Use a private or incognito browser window if the browser keeps auto-signing in with the wrong account.

"Send As Denied" error

The From address must match the mailbox email address. Mojo sets this automatically when OAuth2 is active. If the error persists, check Send As permissions in the Exchange admin center.

Token refresh failure / "Failed to receive emails" warning

A warning banner appears if the OAuth2 token cannot be refreshed. Common causes:

The Microsoft 365 admin revoked consent for the app.
The user password was changed or the account was disabled.

To fix this, go to Admin > Channels > Email > Server configuration and select Reconnect with Microsoft 365 from the dropdown menu to re-authorize.

Test email sent but not received

Click Send test email from the dropdown menu to send a new test. Confirm the mailbox inbox is not full and no mail flow rules are blocking the test email.

General tips

The mailbox must be a regular user mailbox, not a shared mailbox without a license.
Check for Conditional Access policies in Azure AD that may block IMAP or SMTP access.