We are attempting to set up a system@ account so that our Moodle can receive in-coming email, yet we've run into problems with MS.
This problem has stumped MS Support and my Moodle expert and myself. We've already put a lot of hours into this and many tests without success.
According to all documentation we can find, we have correctly configured MS OAuth2 with a properly registered and scoped "application" in MS Entra (Active Directry) in Moodle and connected the two accounts. Indeed, according to the access logs in Azure, Moodle is successfully logging in and accessing MS Graph services, etc. Yet when we try to retrieve email from the Exchange service, the login fails for this reason (per the MS Azure logs):
Sign-in error code
50173
Failure reason
The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '{authTime}' and the TokensValidFrom date (before which tokens are not valid) for this user is '{validDate}'.
Additional Details
Expected part of the token lifecycle - either an admin or a user revoked the tokens for this user, causing subsequent token refreshes to fail and require re-authentication. Have the user sign-in again.
Of course we've already tried "connecting" the service account just minutes before attempting this call to the Exchange service. We have also verified (again and again) that the IMAP permissions are requested in the scope and that they have been permitted by the admin account for MS.
"offline_access" is definitely one of the enabled scopes, yet somehow the provision of a refresh token is failing? There is a Table in the Mdl_ db for reshresh tokens, but my understanding is that this may be only used temporarily and that Moodle actually just handle that within the session routine without storing it in the BD. But if any of you know differently, please correct me! THe main table for authorization tokens is populated with data as I would expect.
I did check that our server clock is synchronized with the real time (it is). And I've tried redoing this whole process multiple times with small variations in settings (not working). It could be that we've all overlooked some small, obvious thing. So maybe it just needs a fresh set of eyes to review the set-up?
Anyway, if anyone on here wants to help me with this, I would greatly appreciate it.