Comment by matrss

What you are referring to is called an access token and has nothing to do with hashed passwords. A hashed password cannot be used directly to authenticate, otherwise it would not be a hashed password, but just a password (or access token, which is the same really).

I don't understand how hashed passwords got into this discussion though. My point is that microsoft should have no way to authenticate as an outlook user against their third party mail provider without the user explicitly giving them permission to do so and what they do is strictly unnecessary to provide the functionality of an email client.