Request a Quote

281-645-4036

How to Set Up Scan to Email on a Sharp BP Series Copier Using Microsoft 365 Modern Authentication (OAuth 2.0)

by | May 26, 2026 | sharp | 0 comments

how to setup office 365 scan to email oauth


If your Sharp BP Series copier stopped sending scanned emails — or if your IT department has told you the old SMTP username/password setup is going away — this guide is for you.

Microsoft has been retiring Basic Authentication for Exchange Online and Microsoft 365. That’s the old method where you typed a username and password directly into the copier’s SMTP settings. Once Microsoft enforces the change on your tenant, your copier will return a 550 5.7.30 error and scan-to-email stops working entirely.

The replacement is OAuth 2.0 Modern Authentication — a token-based system where the copier gets a secure access token from Microsoft instead of storing a password. The Sharp BP Series supports this natively. This guide walks through the complete setup: the Microsoft 365 / Azure side first, then the copier side.

Who needs to do this: Your Microsoft 365 Global Administrator (or someone with Exchange Administrator rights) completes Part 1. Your copier administrator completes Part 2. In many small businesses, this is the same person.

Before You Start — What You’ll Need

  • Global Administrator or Exchange Administrator access to your Microsoft 365 tenant
  • Admin access to the Sharp BP Series web interface (IP address + admin password)
  • A mailbox on your Microsoft 365 tenant to send from — a dedicated shared mailbox like scanner@yourdomain.com works well
  • Windows PowerShell with the ExchangeOnlineManagement module (required for one step — instructions included)

Part 1: Microsoft 365 / Azure Side

This part is done entirely in the browser. You’ll work in two Microsoft admin portals: Microsoft Entra (formerly Azure Active Directory) and the Exchange Admin Center.

Step 1: Create an App Registration in Microsoft Entra

  1. Open a browser and go to entra.microsoft.com
  2. Sign in with your Global Administrator account
  3. In the left navigation, go to Applications → App registrations
  4. Click + New registration
  5. Fill in the registration form:
    • Name: Something descriptive like Sharp Copier SMTP or Copier Scan to Email
    • Supported account types: Select Accounts in this organizational directory only (Single tenant)
    • Redirect URI: Leave this blank
    • Click Register

After registering, you’ll land on the app’s Overview page. Copy and save the following two values — you’ll need them later:

  • Application (client) ID
  • Directory (tenant) ID


Step 2: Create a Client Secret

The client secret is the credential the copier uses to authenticate. Treat it like a password.

  1. In your app’s left menu, click Certificates & secrets
  2. Click + New client secret
  3. Add a description (e.g., Copier SMTP Secret) and set an expiration — 24 months is a reasonable choice
  4. Click Add
  5. Immediately copy the Value field and save it somewhere secure. This value is only shown once. If you navigate away without copying it, you’ll have to delete it and create a new one.

You now have three values saved: Client ID, Tenant ID, and Client Secret. Keep these handy for the copier setup in Part 2.

Step 3: Add the SMTP.SendAsApp Permission

  1. In your app’s left menu, click API permissions
  2. Click + Add a permission
  3. Click the APIs my organization uses tab
  4. Search for Office 365 Exchange Online and select it
  5. Select Application permissions
  6. Find and check SMTP.SendAsApp
  7. Click Add permissions
  8. Back on the API permissions page, click Grant admin consent for [Your Organization]
  9. Click Yes to confirm

You should see SMTP.SendAsApp with a green checkmark and “Granted for [Your Org]” status. If the checkmark is not green, repeat the admin consent step.

Step 4: Get the Enterprise Application Object ID

This is a separate ID from the one on the App Registration page. Using the wrong one is the most common mistake in this entire process.

  1. In the left navigation, go to Applications → Enterprise applications
  2. Find and click your newly created app (same name you used in Step 1)
  3. On the Overview page, copy the Object ID

Important: This Object ID is different from the one on the App Registration overview screen. You must use the Enterprise Application Object ID in Step 5 — using the wrong one will cause authentication to fail.

Step 5: Register the Service Principal in Exchange Online

This step links your Azure app to Exchange Online so it can actually send mail. It requires Windows PowerShell and is a one-time setup.

Install the Exchange Online PowerShell module (if not already installed). Open PowerShell as Administrator and run:

Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

Connect to Exchange Online:

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Sign in with your Global Administrator or Exchange Administrator credentials when prompted.

Register the service principal:

New-ServicePrincipal -AppId <Application_Client_ID> -ServiceId <Enterprise_App_Object_ID>

Replace <Application_Client_ID> with the Client ID from Step 1, and <Enterprise_App_Object_ID> with the Object ID from Step 4.

Grant SendAs permission to the mailbox the copier will send from:

Add-RecipientPermission -Identity "scanner@yourdomain.com" -Trustee <Enterprise_App_Object_ID> -AccessRights SendAs

Replace scanner@yourdomain.com with the actual email address the copier will send from. If you want the copier to send from multiple addresses, repeat this command for each one.

Step 6: Enable Authenticated SMTP on the Mailbox

  1. Go to the Microsoft 365 Admin Center
  2. Navigate to Users → Active users
  3. Click on the mailbox the copier will use (e.g., scanner@yourdomain.com)
  4. Click the Mail tab
  5. Under Email apps, click Manage email apps
  6. Make sure Authenticated SMTP is checked
  7. Click Save changes

If this is a shared mailbox, you may need to enable it via PowerShell instead:

Set-CASMailbox -Identity "scanner@yourdomain.com" -SmtpClientAuthenticationDisabled $false

Summary: Values to Have Ready Before Part 2

Value Where to Find It
Tenant ID Entra → App registrations → Your app → Overview
Application (Client) ID Entra → App registrations → Your app → Overview
Client Secret Created in Step 2 — save immediately, shown only once
Sender Email Address The mailbox you granted SendAs permission to in Step 5

Part 2: Sharp BP Series Copier Side

The copier connects to your Microsoft 365 tenant using the credentials above and retrieves an OAuth token. You’ll need admin access to the copier’s web interface.

Step 7: Access the Copier Web Interface

  1. Find the machine’s IP address: on the copier touchscreen, tap Settings → Status tab → Network Settings
  2. On a computer on the same network, open a browser and type the IP address into the address bar
  3. Click Administrator Login and enter the admin password (default: admin)

Step 8: Configure SMTP Settings

  1. In the web interface, navigate to: Settings (Administrator) → System Settings → Network Settings → Service Settings → SMTP tab
  2. Configure the following fields:
    • Primary Server: smtp.office365.com
    • Port Number: 587
    • Enable SSL/TLS: Enable (STARTTLS)
    • Sender Name: Whatever you want to appear in the From field (e.g., Office Copier)
    • Sender Address: The mailbox email address (e.g., scanner@yourdomain.com)
  3. Under Authentication Method, select OAuth 2.0
  4. Under Provider, select Microsoft
  5. Under Account Name, enter the sender email address (e.g., scanner@yourdomain.com)

Step 9: Get the Token

This is where the copier connects to Microsoft and retrieves its authentication token. An administrator must be at the copier’s touchscreen for this step — it requires a browser-based login on the copier’s screen.

  1. Tap the [Get Token] key
  2. A confirmation message will appear — tap [OK]
  3. The copier will display the Microsoft login page on its touchscreen
  4. Log in using the credentials for the sender mailbox account
  5. Follow any additional prompts (MFA, consent screens) to complete the login
  6. When the token is successfully retrieved, the Token field will change from [Not Retrieved] to [Retrieved]


Token status reference:

Status Meaning
Not Retrieved No token has been obtained yet
Waiting for authorisation Login is in progress but not yet complete
Retrieved Active and working
Invalid Token has expired or the account is no longer valid — re-obtain the token

Step 10: Test the Setup

  1. In the web interface, find the Connection Test option under SMTP settings and run it — it should return a successful result
  2. Walk to the copier, place a document in the feeder, and tap Scan → E-mail
  3. Enter a recipient address and send a test scan
  4. Confirm the email arrives with the scanned document attached

If the connection test fails, check the following:

  • The Sender Address matches exactly what you granted SendAs permission to in Step 5
  • The Client Secret hasn’t expired
  • Admin consent shows a green checkmark on SMTP.SendAsApp (Step 3)
  • Authenticated SMTP is enabled on the mailbox (Step 6)

When the Token Expires

OAuth tokens are not permanent. If scan-to-email stops working in the future and the Token status shows [Invalid], the token needs to be refreshed.

To delete and re-obtain the token:

  1. Go back to: System Settings → Network Settings → Service Settings → SMTP tab
  2. Tap the [Delete] key next to the Token field and confirm — the status returns to [Not Retrieved]
  3. Tap [Get Token] and repeat the login process from Step 9

Pro tip: Set a calendar reminder for roughly 24 months out — or whatever expiration you chose for your Client Secret in Step 2. When the secret expires, the token will fail. You’ll need to create a new Client Secret in Azure and re-obtain the token on the copier.

Frequently Asked Questions

Does every Sharp BP Series model support OAuth 2.0?
The BP-50C, BP-55C, BP-60C, BP-70C, BP-50M, and BP-70M series all support OAuth 2.0 natively. Older MX Series machines generally do not — if you have an MX Series unit, contact your dealer about SMTP relay alternatives.

Can I use a shared mailbox instead of a regular user account?
Yes, and it’s the recommended approach. A dedicated shared mailbox like scanner@yourdomain.com keeps copier traffic separate from any individual’s account. Shared mailboxes don’t require a paid license in most Microsoft 365 plans.

What if we have multiple copiers?
The same Azure app registration can be used for multiple copiers. Each copier goes through the token-retrieval step (Step 9) independently using the same account credentials. If each copier needs a different sending address, run the Add-RecipientPermission command in Step 5 for each address.

What’s the alternative if our copier doesn’t support OAuth 2.0?
An SMTP relay service can act as a bridge — the copier sends to the relay using standard SMTP authentication, and the relay forwards to Microsoft 365 using modern authentication on your behalf. This is a practical option for older machines that can’t be updated.

Will we have to redo this when Microsoft changes things again?
OAuth 2.0 is Microsoft’s long-term standard, so this setup should remain stable. The main maintenance item is the Client Secret expiration — create a new one in Azure and re-obtain the copier token when it expires.