You might find some folk that follow exchange server issues in the enterprise list. https://thunderbird.topicbox.com/groups/enterprise

About all I know is in this article. https://support.mozilla.org/en-US/kb/microsoft-oauth-authentication-and-thunderbird-202

Hay Matt, Thanks for the reply. I actually did figure this out on my own this afternoon. I need to come back and post the solution but it will be a little bit before I can. looks like I have to edit and save images, I can't just paste them in here.

So Microsoft support sent me a whole long list of instructions.

To enable other accounts in your Office 365 tenant to use Thunderbird as a mail client, you need to ensure that the necessary settings are configured correctly. Here is a step-by-step guide:

1 Enable IMAP Access:

• Please open the Exchange Admin Center
• In the Exchange admin center, go to mail flow > connectors.
• Ensure that IMAP access is enabled for the user accounts.
• You may need to create a new connector if one does not already exist.
• Further information: Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers | Microsoft Learn

2 Enable Basic Authentication for IMAP and SMTP:

• Please open the Azure Active Directory.
• In the Azure Active Directory admin center, go to Azure Active Directory > Properties > Manage security defaults.
• If security defaults are enabled, you might need to disable them to allow basic authentication for IMAP and SMTP.
• This step is necessary if your Thunderbird clients use basic authentication instead of modern authentication (OAuth).
• Further information: Providing a default level of security in Microsoft Entra ID - Microsoft Entra | Microsoft Learn

3 Enable Modern Authentication (OAuth) for IMAP and SMTP:

• Please open the Exchange Admin Center.
• In the Exchange admin center, go to settings > mail flow.
• Ensure that modern authentication is enabled for both IMAP and SMTP.

4 Create App Passwords for Users with 2FA Enabled:

• Users need to create app passwords if two-factor authentication (2FA) is enabled.
• Please have each user sign in to https://mysignins.microsoft.com/security-info
• Select the “+Add sign-in method” button > Choose “App password” from the list > then select Add > Create a name then password, please be sure to save this password safely

• Users should generate a new app password and use it in Thunderbird as their email password.

Further information: Manage app passwords for two-step verification - Microsoft Support

5 Configure Thunderbird:

• Open Thunderbird and go to Account Settings.
• Add a new email account and enter the user's Office 365 email address and the app password generated in the previous step.
• For the incoming server, use the following settings:

           Server Type: IMAP Mail Server 
           Server Name: outlook.office365.com 
           Port: 993 
           Connection Security: SSL/TLS 
           Authentication Method: OAuth2 or Normal Password (if using app password) 

       For the outgoing server, use the following settings: 

           Server Name: smtp.office365.com 
           Port: 587 
           Connection Security: STARTTLS 
           Authentication Method: OAuth2 or Normal Password (if using app password) 

Additionally, we request that you open a parallel support ticket with Thunderbird to ensure that this issue is addressed promptly by both our internal team and Thunderbird support.

Thank you in advance

As it turns out, I don't think I needed to do anything except #5 The biggest point is that you HAVE to change the Hostname (not server name) And you have to do this before you can choose the correct Authentication Method because OAuth2 won't show up until Thunderbird sees that it is a email server that requires it. I spent hours searching for the settings I needed to use for the email setup and having the worst time going in circles through the microsoft atricles where most of them are either out of date or they call things by old names or they are showing instructions for depreciated things and there is no way to know what to look for unless you already know how to do it. For example, in #2 they say Please open the Azure Active Directory. Well it is no longer called Azure Active Directory.

Anyway, if anyone has an issue with a work or school account that is in the Microsoft ecosystem but with it's own domain name. Try Changing the incomming Hostname to outlook.office365.com and the outgoing Hostname to smtp.office365.com and see if that works.

oops, I wrote a whole long reply with image and instructions and then I tried to edit it because the formatting was messed up with horizontal sliders for lines that came out way to long for the screen but then it vanished. I hope a Mod still has access to fix it and post it as the solution to the problem.

Having spend a little time on the Microsoft instructions I think they are just wrong with regard to passwords. Like you I will go with 5, but you do have to have IMAP and SMTP enabled on the exchange server, so 1 and 3 are also required from an admin perspective as they are disabled by default in exchange and have been for many years. (Thanks Microsoft for disabling the standards based protocols in your application by default only enabling the proprietary protocols used by outlook and exchange activsync.)

You are correct through that Thunderbird only offers oauth for known/approved domains. The protocol requires that an application secret be sent when authentication is initiated, sending the one for say yahoo does not meet the requirements. It must be the one Microsoft issued to Thunderbird for their server. So there is currently no way short of manual code changes to add a "new" oauth domain.

Yea, except #1 actually is only needed IF you have on site email servers in addition to using the outlook.office365.com and smtp.office365.com you have to create connectors. If you don't have on site servers, you can't create connectors.

1. 2, basically saying go into Microsoft Entra ID and make sure you don't have any security defaults that would block IMAP or SMTP. No this isn't necessarily off by default actually, at least it wasn't in mine.

1. 3 Ensure that modern authentication is enabled for both IMAP and SMTP. Problem here is language. There are no settings that SAY modern authentication. Basically they are saying in the Exchange Admin > settings > Mail flow settings. Under Security don't check the boxes for Turn Off SMTP AUTH Protocol for your Organization and Turn on Legacy TLS Clients

1. 4 Create App Passwords for Users with 2FA Enabled

I did this, When I set app passwords and tried to use the Normal Password log in, it didn't work. There are two different places for this. One is when you are setting things to allow for self service password resetting and first signing into the account where you need a phone number or something set up on the account to be able to recover or change the password, that needs to be enabled which I already had enabled. The other is that you can actually Enforce having to use 2FA for all sign ins (don't do that.) Now all the stuff I read about having to make everyone have 2FA required was a trip down the rabbit hole. No, what is needed is that everyone who is going to do this needs to have a 2nd factor for authentication available and in the system. Basically, they need to have a way in the system for self service password reset because they will need it to give permission for Thunderbird to get access to their email. But you don't have to require that they have to use 2FA EVERY TIME THEY LOG IN!!! That is actually totally unacceptable for students in an education environment since many students don't have full time access to a cell phone (especially when they are in school.) I was able to create a brand new account to test this. As long as the account has already logged into microsoft once and entered the phone number or something to be able to do password recovery, that account can set up thunderbird for their email. The ONLY thing I needed to do differently for any of my member accounts was to change the hostname for the incoming and outgoing servers and it worked just fine. Perhaps somewhere in the Thunderbird documentation or help we could make note that Microsoft tenets with their own custom domain names need to use these settings to get things to work with thunderbird. Change the Host Names first, then you can set OAuth. I had to change the Port for the SMTP also.

    For the incoming server, use the following settings: 
          Server Type: IMAP Mail Server 
          Host Name: outlook.office365.com 
          Port: 993 
          Connection Security: SSL/TLS 
          Authentication Method: OAuth2

      For the outgoing server, use the following settings: 
          Host Name: smtp.office365.com 
          Port: 587 
          Connection Security: STARTTLS 
          Authentication Method: OAuth2