From 60ea979f9cf9379a57ed20b18394427b25e9e4e1 Mon Sep 17 00:00:00 2001
From: Ronald Franz Nina Layme <ronald.nina.layme@gmail.com>
Date: Fri, 8 May 2026 11:19:18 -0400
Subject: [PATCH] Use .us Microsoft endpoints for Office365 OAuth

---
 ProcessMaker/Managers/OauthMailManager.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/ProcessMaker/Managers/OauthMailManager.php b/ProcessMaker/Managers/OauthMailManager.php
index 9fa9a4d9c9..d39f9ce9b5 100644
--- a/ProcessMaker/Managers/OauthMailManager.php
+++ b/ProcessMaker/Managers/OauthMailManager.php
@@ -9,6 +9,7 @@
 use Illuminate\Mail\MailManager;
 use ProcessMaker\Models\EnvironmentVariable;
 use ProcessMaker\Packages\Connectors\Email\EmailConfig;
+use ProcessMaker\Models\Setting;
 
 class OauthMailManager extends MailManager
 {
@@ -127,13 +128,25 @@ private function refreshAccessToken()
     {
         try {
             $index = $this->emailServerIndex ? "_{$this->emailServerIndex}" : '';
+            //Get Mail Host
+            $key = "EMAIL_CONNECTOR_MAIL_HOST{$index}";
+            $settingEmailConnectorMailHost = Setting::byKey($key)?->config ?? null;
+
+            $baseUrlMicrosoft = 'https://login.microsoftonline.com/';
+            $permissions = 'https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access';
+            // Change the Microsoft Base Url and scopes according to the environment if the mail host ends with .us, which is the case for Microsoft 365 US Government.
+            if ($settingEmailConnectorMailHost && is_string($settingEmailConnectorMailHost) && str_ends_with($settingEmailConnectorMailHost, '.us')) {
+                $baseUrlMicrosoft = 'https://login.microsoftonline.us/';
+                $permissions = 'https://outlook.office365.us/IMAP.AccessAsUser.All https://outlook.office365.us/POP.AccessAsUser.All https://outlook.office365.us/SMTP.Send offline_access';
+            }
+
             $guzzle = new Client();
-            $url = 'https://login.microsoftonline.com/' . $this->token->tenant_id . '/oauth2/v2.0/token';
+            $url = $baseUrlMicrosoft . $this->token->tenant_id . '/oauth2/v2.0/token';
             $newToken = json_decode($guzzle->post($url, [
                 'form_params' => [
                     'client_id' =>  $this->token->client_id,
                     'client_secret' => $this->token->client_secret,
-                    'scope' => 'https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access',
+                    'scope' => $permissions,
                     'refresh_token' => $this->token->refresh_token,
                     'grant_type' => 'refresh_token',
                 ],