OK, typically I managed to answer my own question two minutes after posting it.  When I looked at the web traffic in Fiddler I saw that the redirect url was being submitted as localhost/.../callback.html so I added that as a redirect in Azure.  Whose bright idea was it to make a url case sensitive..?

I now have a different problem, which is that it now connects but cannot create the connection to the sync server.  The logs say that this is because the request doesn't contain the client secret, which is true, but there doesn't seem to be anywhere to put the secret in.  How do I get that to be passed across so that the connection can be made?

What version of Sage CRM are you using?  See

Sage CRM: Configuring OAuth 2 0 for Exchange Online Office 365 in Sage CRM 2020 R2 onwards - YouTube

This is for 2021 R1.  Thanks for the video; I have done everything it shows but still am having no luck.  Firstly, I don't think that the https://outlook.office365.com/EWS/Exchange.asmx works any more and I can't connect to it.  I think that you now need to use the personalised endpoint ending in .mail.protection.microsoft.com to which I can connect but still get the secret id error.

OAuth comes in with Sage CRM 2020 R2

That's what I have been using.

This is the set up I have in 2020 R2 and it works:

Thanks but that doesn't work for me.  I get the following error:

I thought the whole point of the OAuth 2.0 protocol was that you had to pass the client secret as well as the client id.

However if I use my original configuration with the .mail.protection.outlook.com address I get this error:

which seems to be one step further than using the generic address.

Can you please try to clear all the cache from the browser and all the passwords and close all windows and try again.

Are you using the localhost link from the server to set up the exchange integration?

For North America support you can book an appointment online :

app.timetrade.com/.../login.do

Thanks for the suggestion but that doesn't work.  I still get the same error message.

Hi Guy

Microsoft have indefinitely postponed the need for OAuth2 for Exchange Integration so you can still connect to it using the original method. This way you don't have to mess around with Azure

Thanks Matthew.  Are you sure about this?  It still doesn't work and if I try with a standard POP3 client it doesn't allow me to authenticate with the "traditional" settings.

Hi Guy,

Are you asking about POP3 or Exchange Integration? they're different things in CRM. For exchange integration you can set it to 'Exchange Server' and the URL of https://outlook.office365.com/ews/exchange.asmx and authorise with the email account (it does have the Role of Application Impersonation assigned to it? Else it will fail) 

POP3 connection just needs TLS ticked and connects to smtp.office365.com over port 587. 

Sorry, I'm working on trying to get them both working so I am being a bit free and loose with my comments.  I think the problem for both might be to do with 2FA and I am just investigating this.

Yes it's all gone wrong because of 2FA.  Works perfectly without.  This should have been obvious to me if I had thought about it...  So to overcome the problem you need to turn off 2FA for the user that you are using for Exchange Integration, and E-mail Manager if that's what you also need to use.  Sending e-mails out works with 2FA enabled.