Microsoft mailboxes connect the same way Google mailboxes do — via OAuth, with no password stored on our side. The main difference is that some Microsoft 365 tenants require admin consent the first time a new app is used.
Before you start
Works with Outlook.com, Microsoft 365 (Business, Enterprise), and Exchange Online.
For tenant-controlled accounts, you may need a Global Admin or Application Admin to consent once for your organization.
Modern Authentication must be enabled (it is on by default for almost all tenants now).
Connect a Microsoft mailbox
Open Accounts → Email → Connect.
Choose Microsoft.
Sign in with the mailbox you want to use.
Review the requested permissions and click Accept.
You will land back in BrandJet with the inbox listed and ready for verification.
AADSTS90094: Admin consent required
Your tenant requires a Global Admin to consent once. After admin consent, all users in the tenant can connect without seeing this error.
Send the consent URL from the error screen to your IT admin, or have them log in and grant consent themselves.
If the admin prefers, they can pre-grant consent from Microsoft Entra → Enterprise applications.
Conditional Access and tenant restrictions
Errors like blocked by Conditional Access, account locked, or your sign-in was successful but does not meet the criteria are tenant-level restrictions, not BrandJet limits.
Conditional Access policies (country, IP range, device compliance) may exclude BrandJet outbound mail. Your admin can add an exception for the BrandJet app.
If your tenant disallows third-party app access entirely, the mailbox cannot be connected until policy is loosened.
SMTP AUTH and OAuth
BrandJet uses OAuth for both reading and sending. You do not need to enable SMTP AUTH manually — modern Microsoft 365 tenants ship with the right defaults. If your tenant disabled SMTP AUTH organisation-wide, OAuth-based sending still works; we use the Graph API for sending where possible.
If verification fails after connect
Open the mailbox in Accounts → Email and click Verify.
If you get token revoked, sign in to portal.office.com, accept any new sign-in challenges, then click Verify again.
If you get throttled, Microsoft is rate-limiting first-day mail. Wait 30 minutes and retry.
Personal Outlook.com mailboxes
Personal Outlook.com accounts work but typically have lower daily limits than Microsoft 365. Run warmup for at least two weeks before pushing volume.
Revoking access
You can revoke BrandJet anytime from account.live.com/consent/Manage (personal) or from Microsoft Entra (tenant). Removing the mailbox in BrandJet revokes the token automatically.