Fix: GFI FaxMaker v20.9 “Office 365 Authentication” (OAuth) Fails for Email2FaxGateway (Exchange Online SMTP)

Solution

Symptoms / Errors

• UI / console
  • Connection time out
  • Fehler: Das Zugriffstoken konnte nicht vom Server abgerufen werden. (The access token cannot be retrieved from the server.)
• OAuth callback / browser
  • AADSTS50194 (application not configured as multitenant when /common is used)
• Exchange Online SMTP responses (in logs)
  • 504 5.7.4 Unrecognized authentication type
  • 535 5.7.3 Authentication unsuccessful
• Behavioral indicators
  • Email2FaxGateway configuration may revert back to SMTP after closing/reopening the FaxMaker Configuration console.

Typical Environment

• GFI FaxMaker 
• Email2FaxGateway configured for smtp.office365.com on port 587 (TLS). 
  • This article applies when Email2FaxGateway is configured to submit outbound mail via smtp.office365.com:587 using Office 365 Authentication (OAuth).
  • If the customer is using the “MX endpoint / port 25 / connectors” approach, please review Using GFI FaxMaker with Office 365.
• OAuth sign-in launches a browser and returns to a local callback such as http://localhost:5000/callback

Troubleshooting (What to Check First)

1) Confirm outbound network reachability from the FaxMaker server

Run the following on the FaxMaker server (PowerShell) and confirm the tests succeed:

Test-NetConnection login.microsoftonline.com -Port 443
Test-NetConnection smtp.office365.com -Port 587

If these fail, resolve firewall/proxy restrictions and any TLS inspection interference before continuing.

2) Capture logs at the exact failure time

• Re-run Authenticate and then Send test email.
• Note the exact time (HH:MM) the failure occurs.
• Collect a Troubleshooter package immediately after reproducing.
• Include SMTP upload/uploader logs (for example under <FaxMaker_install_dir>\logs\..., including the SMTP-related uploader/logger files).

Root Cause

The Microsoft Entra ID App Registration used for FaxMaker OAuth was configured with the redirect URI under the Web platform. In this state, the browser sign-in can appear successful and an authorization code can be received, but FaxMaker does not successfully obtain/store the refresh token (for example, smtprefreshtoken remains empty in configuration snapshots/log bundles).

Without a refresh token, FaxMaker cannot generate valid OAuth access tokens for SMTP submission. This correlates with:

• The access token cannot be retrieved from the server (or the German equivalent)
• Exchange Online SMTP authentication failures such as 535 5.7.3 Authentication unsuccessful (and sometimes 504 5.7.4 Unrecognized authentication type)
• Settings not persisting (reverting back to SMTP)

Resolution (Configuration Fix)

Step A — Correct the Entra ID App Registration platform and redirect URI

1. Open Microsoft Entra admin center.
2. Go to Microsoft Entra ID → App registrations → select the app used for FaxMaker OAuth.
3. Open Authentication.
4. Select Add a platform → choose Mobile and desktop applications.
5. Add the redirect URI:
   • http://localhost:5000/callback
6. Ensure Allow public client flows (or equivalent setting) is Enabled.
7. Click Save.

If you encountered AADSTS50194

If the browser redirect/callback showed AADSTS50194, update the app registration:

• Set Supported account types to Multitenant (Accounts in any organizational directory), when your OAuth authority/flow uses /common.

Step B — Re-authenticate in FaxMaker and retest

1. Open GFI FaxMaker Configuration → Email2FaxGateway → Properties.
2. Select Office 365 Authentication (OAuth).
3. Confirm the SMTP endpoint and port are set for client submission:
   • smtp.office365.com
   • 587
4. Confirm the Client ID matches the Entra app registration.
5. Click Authenticate again and complete the sign-in.
6. Click Send test email.

Note: SMTP AUTH enablement at the mailbox level should still be verified as part of normal Exchange Online SMTP submission requirements, but in this scenario it was not the primary cause.