Hello @simonrob
First, thank you for this project, it has been a big timesaver to test some assumptions.

I am trying to migrate some applications that use an SMTP services (STARTTLS / AUTH PLAIN) to pure O365. I wanted a simple setup, which could scale (without incurring costs). What I settled on was creating an application, giving it Outlook SMTP.SendAsApp permissions, adding the service principal to outlook and giving it access to the needed mailbox, as well as enabling SMTP on those mailboxes.
Some descriptions of the process:

• https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
• https://stackoverflow.com/a/76268281

This works quite well because it doesn't lead to the creation of a new account, can be added to an existing mailbox (shared or not), and keep the credentials application specific. Unlike other methods, it doesn't force a 1-to-1 or 1-to-any relationship, and can allow sending but not receiving (or the other way around). The client_id and client_secret are essentially username / password.

Looking into this repository, I saw that #61 let to the implementation of the CCG grant with AccessAsApp (there was no support for SMTP at the time, but that has since changed). However, from everything I can see in the code / this repository, the proxy expect the user's password and there's no way to use the client_secret.

In short, I would like to have the following configuration:

[foo@contoso.onmicrosoft.com]
token_url = https://login.microsoftonline.com/$TENANT/oauth2/v2.0/token
oauth2_flow = client_credentials
oauth2_scope = https://outlook.office365.com/SMTP.AccessAsApp
client_id = 42424242-4242-4242-4242-424242424242

And authenticate with foo@contoso.onmicrosoft.com / $CLIENT_SECRET.