Add an exchange mailbox in Mail app

ptidav · February 3, 2026, 6:11pm

Hello everyone,

I’m trying to add Exchange accounts to my Nextcloud. I followed the documentation guide to configure an Entra ID app. If I add an account that is a domain admin, the account is successfully created in Mail and works.

When I try with a regular user account, the OAuth2 window shows an approval request. That’s normal—based on what I’ve read, there are no (API) permissions available for IMAP for standard users.

So I approve the request in Entra ID using an admin account. After that, when I try to add the account again, the OAuth2 window asks for approval again. And again, and again… it loops.

If anyone has any ideas, I’m interested.

Thanks.

usselite · February 4, 2026, 8:47am

Did you try it yet in incognito mode? It’s also good to double check your Nextcloud server log if it’s not producing errors in the background.

ptidav · February 4, 2026, 12:10pm

Yes already tested incognito mode without success

I got warning in entra Id access logs saying approbation is required each time I try to connect to the mailbox from NextclouD

Soontheman · February 7, 2026, 11:17am

I have exactly the same issue. Hope we will find a solution!

ptidav · February 8, 2026, 7:53am

I checked nextcloud log.

1 DNS error :
{“reqId”:“fjf7olHcl9CYiJblFgz0”,“level”:2,“time”:“2026-02-07T19:23:58+00:00”,“remoteAddr”:“212.X.X.X”,“user”:“admin”,“app”:“PHP”,“method”:“GET”,“url”:“/apps/mail/api/autoconfig/ispdb/tld.fr/support%tld.fr”,“scriptName”:“/index.php”,“message”:“dns_get_record(): A temporary server error occurred. at /var/www/html/lib/private/Http/Client/DnsPinMiddleware.php#99”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36”,“version”:“32.0.5.0”,“data”:{“app”:“PHP”}}

2 - Invalid microsoft_oauth_client_id…. :
{“reqId”:“CpnwM3eNtVkzvwhIWxeC”,“level”:2,“time”:“2026-02-07T19:24:26+00:00”,“remoteAddr”:“x.x.x.x”,“user”:“admin”,“app”:“no app in context”,“method”:“GET”,“url”:“/settings/admin/groupware”,“scriptName”:“/index.php”,“message”:“Invalid microsoft_oauth_client_id data provided to provideInitialState by mail”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36”,“version”:“32.0.5.0”,“data”:}

3 - ERROR : decrypt() … null given :
{“reqId”:“38iqUVUuNA4v0ff6o7mi”,“level”:3,“time”:“2026-02-07T19:40:02+00:00”,“remoteAddr”:“x.x.x.x,“user”:“admin”,“app”:“mail”,“method”:“GET”,“url”:“/apps/mail/”,“scriptName”:“/index.php”,“message”:“Could not load account mailboxes: OC\Security\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 104”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36”,“version”:“32.0.5.0”,“exception”:{“Exception”:“TypeError”,“Message”:“OC\Security\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 104”,“Code”:0,“Trace”:[{“file”:“/var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php”,“line”:104,“function”:“decrypt”,“class”:“OC\Security\Crypto”,“type”:“->”,“args”:[“*** sensitive parameters replaced “]},{“file”:”/var/www/html/custom_apps/mail/lib/IMAP/MailboxSync.php",“line”:88,“function”:“getClient”,“class”:“OCA\Mail\IMAP\IMAPClientFactory”,“type”:“->”,“args”:[" sensitive parameters replaced “]},{“file”:”/var/www/html/custom_apps/mail/lib/Service/MailManager.php",“line”:139,“function”:“sync”,“class”:“OCA\Mail\IMAP\MailboxSync”,“type”:“->”,“args”:[" sensitive parameters replaced “]},{“file”:”/var/www/html/custom_apps/mail/lib/Controller/PageController.php",“line”:162,“function”:“getMailboxes”,“class”:“OCA\Mail\Service\MailManager”,“type”:“->”,“args”:[" sensitive parameters replaced ***”]},{“file”:“/var/www/html/lib/private/AppFramework/Http/Dispatcher.php”,“line”:204,“function”:“index”,“class”:“OCA\Mail\Controller\PageController”,“type”:“->”,“args”:},{“file”:“/var/www/html/lib/private/AppFramework/Http/Dispatcher.php”,“line”:118,“function”:“executeController”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”,“args”:[{“class”:“OCA\Mail\Controller\PageController”},“index”]},{“file”:“/var/www/html/lib/private/AppFramework/App.php”,“line”:153,“function”:“dispatch”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”,“args”:[{“class”:“OCA\Mail\Controller\PageController”},“index”]},{“file”:“/var/www/html/lib/private/Route/Router.php”,“line”:321,“function”:“main”,“class”:“OC\AppFramework\App”,“type”:“::”,“args”:[“OCA\Mail\Controller\PageController”,“index”,{“class”:“OC\AppFramework\DependencyInjection\DIContainer”},{“_route”:“mail.page.index”}]},{“file”:“/var/www/html/lib/base.php”,“line”:1061,“function”:“match”,“class”:“OC\Route\Router”,“type”:“->”,“args”:[“/apps/mail/”]},{“file”:“/var/www/html/index.php”,“line”:25,“function”:“handleRequest”,“class”:“OC”,“type”:“::”,“args”:}],“File”:“/var/www/html/lib/private/Security/Crypto.php”,“Line”:92,“message”:“Could not load account mailboxes: OC\Security\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 104”,“exception”:{},“CustomMessage”:“Could not load account mailboxes: OC\Security\Crypto::decrypt(): Argument #1 ($authenticatedCiphertext) must be of type string, null given, called in /var/www/html/custom_apps/mail/lib/IMAP/IMAPClientFactory.php on line 104”}}

About DNS error, it’s weird because I can make a ping to outlook.office.com or others domains without problem. So resolution works fine…

If someone has an idea ??..
Thanks

usselite · February 8, 2026, 9:19am

Which guide did you use to set this up?
Mail — Nextcloud latest Administration Manual latest documentation

I set this up myself last week, if you follow the exact steps it should work.

Things to verify:

Double check if you have setup the right callback URL to Nextcloud.
Copied right app ID
Tenant ID needs to be common in this case.

ptidav · February 8, 2026, 10:14am

Yes this guide.

url ok
app id ok
tenant id set to “common” as in the tutorial

I successfully connected a mailbox only if I connect a user having tenant admin rights.

In other hand, I discovered this thread on github, opened since 2 years and still active :

github.com/nextcloud/mail

Nextcloud Mail App: Issues with Microsoft 365 OAuth Configuration and Account Linking

opened 09:44PM - 11 Dec 23 UTC

XaFaK-01

bug 1. to develop feature:integration

### Steps to reproduce 1. Have configured MS OAuth client ID and secret in the… admin settings as per [these instructions].(https://docs.nextcloud.com/server/latest/admin_manual/groupware/mail.html#xoauth2-authentication-with-microsoft-azure-ad) 2. After that when adding a new Microsoft 365 Account in the mail app, once Name, Mail Address, and Password have been filled in, it shows the message: "Account created. Please follow the pop-up instructions to link your Google account.", even though it's not a Google Account. Anyways when the pop-up appears, the button first says "Awaiting User Consent" then the status shows as "Authorization pop-up closed" and signing in and filling up all the info in the pop-up from Microsoft 365 is completed but nothing happens related to logging in even though the pop-up says "Account connected" "You can close this window". ### Expected behavior I should be able to log in to my Microsoft 365 Account. ### Actual behavior It shows the message: "Account created. Please follow the pop-up instructions to link your Google account.", even though it's not a Google Account. Anyways when the pop-up appears, it shows the status as "Authorization pop-up closed" and signing in and filling up all the info in the pop-up from Microsoft 365 is completed but nothing happens related to logging in even though the pop-up says "Account connected" "You can close this window" ### Mail app version 3.4.6 ### Mailserver or service Microsoft 365 ### Operating system Ubuntu 22.04.3 LTS ### PHP engine version PHP 8.2 ### Web server None ### Database PostgreSQL ### Additional info Here's the latest log for the mail app from the logging section: `[mail] Warning: OCA\Mail\Exception\ClientException: Account 66 does not exist or you don\'t have permission to access it at <<closure>> 0. /var/www/html/custom_apps/mail/lib/Controller/MicrosoftIntegrationController.php line 138 OCA\Mail\Service\AccountService->find("john", 66) 1. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 230 OCA\Mail\Controller\MicrosoftIntegrationController->oauthRedirect("0.AVAA32RN4P49b ... 4", "66", "825012c9-4b24-40ad-a899-0caa9f968768", null) 2. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 137 OC\AppFramework\Http\Dispatcher->executeController(["OCA\\Mail\\Con ... "], "oauthRedirect") 3. /var/www/html/lib/private/AppFramework/App.php line 183 OC\AppFramework\Http\Dispatcher->dispatch(["OCA\\Mail\\Con ... "], "oauthRedirect") 4. /var/www/html/lib/private/Route/Router.php line 315 OC\AppFramework\App::main("OCA\\Mail\\Cont ... r", "oauthRedirect", ["OC\\AppFramewo ... "], ["mail.microsoft ... "]) 5. /var/www/html/lib/base.php line 1068 OC\Route\Router->match("/apps/mail/integration/microsoft-auth") 6. /var/www/html/index.php line 36 OC::handleRequest() GET /apps/mail/integration/microsoft-auth?code=0.AVAA32RN4P49bEWWuNNnvfEjfFnWwAtrFrZPvWyvpd9BsaBQAIg.AgABAAIAAAAmoFfGtYxvRrNriQdPKIZ-AgDs_wUA9P-bRuZenv9c2obZiTgYhjkDY7fxW08xvLmOF9fpaKKNCuepmCre0mqsBNp5kPZeZwh4qNB5HRtro0ErjzwAljV2KrFnELaEmrJE_xoLIQGI0TgbV-BTg8S7KzI3rbIStM0D61orit0xS1-tE5k5FzS0GehTsfjfi1pEuMZMZSTjGM9ErkXXIBt6pJfXjXQ6-9qeVcDU5jhsm1epC_5mwUrcT3CPlUs3-OODRTKbvQW9idHGztxlml3nlNAjPPhpif-h66y4paBYCaQeZSRrWOKeEvm0KkHtpq6WQBHhLkm5XYueEJM-vAmFvo13xHdomCTB3WvSTu6cAy8X_1BzJbw7Zy0GxzBBH0MQ2yTDQXyfMcDZ3Vqz8A5DpDBRtcmnTYZvJ06YxS6HljlZaAyF517BrXaOtHbSleAAATZc9Vr_B_dug9yS1AistFJCxecukZZR3O7vofY-9r8w4qgWSvw1XhQ751Di8gE5Y24zuTq8J7JsXRMw7M1l68TaD58qoU5JJXCCdD13VAGezCuRQsVWGQrlZqH9mp379o23iuXYHFJb3xrfbLImlRBdx7M3GILFt2M3yrXoOM61dBIcmWt3_fwP6gImrZP7UrNcxJftUZi3jjYZymxGHiFt2jOcKRY3OUaDckOTjT9lQfFivniO-rhPSh4Iy8jz1Z_yCcMduSR-lqr3ZhD65xzo4RUMbNeqjm4BtcC9zIOyiJ7InzPQBF9Qo6vBacnzQcr2fGkYDmsQTLW5jBGXrz5-PujDjmhnTezwd4SQIM9zS-9p-7bU-zyDxoMRKzMgOT6vLTHzu6Oh6j_MRKLQOnkKEXp5sutNmGNFcsiGpmTd2GoFnLCLic_-RBMPWZjf9BME2R2_pRhxcsuIqEHVo2aXlCMuXMk3CZ6YlaYIG0NUicSwuP9yVvnMIBfS2Vv_WDYtMHTbU3PpKUDbaFIUdm8-WncAFYkysHYHg76qNIYLdQK1AewezD2s4OIgBc34g169zt8S6jJf_CezkP9u79NKM_OrEtAzG5ZxWibMgsYxGEDXeIvPmIPlkFAV_u4&state=66&session_state=825012c9-4b24-40ad-a899-0caa9f968768 from xx.xx.xxx.xx by john at 2023-12-11T21:29:12+00:00`

It seems to be the same issue