BugWP logo BugWP
Back to Community
Home / Community / General

Fixing the FluentSMTP Microsoft 365 423 'Forbidden' and 422 'Unauthorized' Errors

28 threads Sep 16, 2025

Content

Many users of the FluentSMTP plugin encounter a frustrating roadblock when integrating with Microsoft 365 or Outlook.com: the 423 "Forbidden" or 422 "Unauthorized" error. This error appears in the test results or email logs, halting email delivery from a WordPress site.

Based on community reports and troubleshooting discussions, this error is almost always a permissions issue on the Microsoft side, not a bug within the FluentSMTP plugin itself. The error is a response from Microsoft's API indicating that the application (your FluentSMTP connection) is not authorized to send mail from the specified account.

Why This Error Happens

The single most common cause, as identified by users, is a mismatch between the Microsoft account used to create the API credentials and the "From Email" address configured in FluentSMTP. Microsoft's permissions are strict; the account that owns the mailbox must also be the one to grant API sending permissions.

Other potential causes include:

  • Using an admin account to create the API app but a different shared mailbox (e.g., [email protected]) as the "From Email".
  • Insufficient API permissions granted in the Azure App registration.
  • The mailbox being used lacks an active Microsoft 365 license or is not a valid, dedicated mailbox.
  • A recent password change or security update on the Microsoft account that invalidated the existing tokens.

Most Effective Solutions

If you see a 423 or 422 error, follow these steps to resolve it.

Solution 1: Ensure Email Address Alignment (The Most Critical Step)

This is the fix that resolves the vast majority of cases. The email address you use for every step must be identical.

  1. Account for API Creation: You must log into the Microsoft Entra Admin Center with the exact same email account that you intend to use as the "From Email" in WordPress.
  2. Account for Granting Permissions: During the app registration and consent process, you must approve the permissions using that same account. You cannot use a global admin account to approve permissions for a different user's mailbox.
  3. From Email in FluentSMTP: In your WordPress dashboard under FluentSMTP → Settings → Primary Connection, the "From Email" field must be that same email address.

If you need to send from a shared mailbox, you must log in as a user who has direct "Send As" permissions for that mailbox and use that user's account to create the API app.

Solution 2: Verify Azure App Registration Settings

Incorrect settings in your Azure app can cause immediate failures.

  1. Log into the Microsoft Entra Admin Center.
  2. Go to Applications → App registrations and select your FluentSMTP app.
  3. Under Authentication, ensure the Redirect URI is exactly:
    https://yourdomain.com/?fluent-mail-auth=1 (replacing "yourdomain.com" with your actual domain).
  4. Under API permissions, ensure you have granted Mail.Send and User.Read (delegated) permissions and that an admin has granted consent for them.

Solution 3: Check Mailbox Type and License

Microsoft's API will return authorization errors if the account is not set up correctly.

  • Ensure the "From Email" account is a licensed Microsoft 365 user with an active mailbox. It cannot be a shared mailbox without a assigned license.
  • Confirm the mailbox is not over its storage quota.

Solution 4: Re-authenticate the Connection

If the connection was working and suddenly started failing, the OAuth token may have expired or been revoked. Simply go to your FluentSMTP settings and click the "Re-Authorize" button to go through the Microsoft login process again. This often resolves intermittent 422 errors.

Summary

The 423 "Forbidden" and 422 "Unauthorized" errors are a common hurdle when configuring FluentSMTP with Microsoft 365, but they are almost always solvable by meticulously aligning your email accounts and double-checking your Azure app settings. The key takeaway is to use one dedicated, licensed Microsoft 365 account for both creating the API credentials and sending mail.

Related Support Threads Support