diff --git a/env_prod.env b/env_prod.env
index a3cc8614..104d343a 100644
--- a/env_prod.env
+++ b/env_prod.env
@@ -58,7 +58,7 @@ Connector_AiTavily_API_SECRET = PROD_ENC:Z0FBQUFBQnBDM1Z3NmItcDh6V0JpcE5Jc0NlUWZ
 
 # Agent Mail configuration
 Service_MSFT_CLIENT_ID = c7e7112d-61dc-4f3a-8cd3-08cc4cd7504c
-Service_MSFT_CLIENT_SECRET = PROD_ENC:Z0FBQUFBQnBDM1Z3NjBORzZ2VEVRaEZlYXhpdGM2eDJoV29SSk90bS1MMjNXWmhnRF8zWk9va2s5YmRTazZfWG1aTUY0S3NIU2FCOHdCbDduRWxtWXltdW9NNHVZN3E5cWladjZHZ1pmSTlUNFBqYi1UQTlzbS1xT2Rlb1o2bnl6bFhpejdjMVJqWXI=
+Service_MSFT_CLIENT_SECRET = PROD_ENC:Z0FBQUFBQnBESUZEMEZodmsxVTFtWkxScW9DT0JZVWZTZDVtak02NnlnYm04NDdZclBSbWFOSlRGSnhGazg0dmNQOVpuU1ZCbENBN3RUaWJGYk1ISldUQndaNU1GTGdhTmZxT0tlakZ1NjNmRzI5ZFJjSF9SSzNNUFdaRDNXbXgwdEc1ZkFnV3NJbUI=
 Service_MSFT_TENANT_ID = common
 
 # Google Service configuration
diff --git a/modules/routes/routeSecurityMsft.py b/modules/routes/routeSecurityMsft.py
index 9059b3da..3d5aa1fb 100644
--- a/modules/routes/routeSecurityMsft.py
+++ b/modules/routes/routeSecurityMsft.py
@@ -40,6 +40,16 @@ CLIENT_SECRET = APP_CONFIG.get("Service_MSFT_CLIENT_SECRET")
 TENANT_ID = APP_CONFIG.get("Service_MSFT_TENANT_ID", "common")
 REDIRECT_URI = APP_CONFIG.get("Service_MSFT_REDIRECT_URI")
 AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
+
+# Validate configuration at module load
+if not CLIENT_ID:
+    logger.warning("Service_MSFT_CLIENT_ID is not configured")
+if not CLIENT_SECRET:
+    logger.warning("Service_MSFT_CLIENT_SECRET is not configured")
+if not REDIRECT_URI:
+    logger.warning("Service_MSFT_REDIRECT_URI is not configured")
+if CLIENT_SECRET and CLIENT_SECRET.startswith(("PROD_ENC:", "INT_ENC:", "DEV_ENC:")):
+    logger.warning("Service_MSFT_CLIENT_SECRET appears to be encrypted - ensure decryption is working")
 SCOPES = [
     "Mail.ReadWrite",           # Read and write mail
     "Mail.Send",                # Send mail
@@ -149,9 +159,37 @@ async def auth_callback(code: str, state: str, request: Request, response: Respo
         )
         
         if "error" in token_response:
-            logger.error(f"Token acquisition failed: {token_response['error']}")
+            error_code = token_response.get('error')
+            error_description = token_response.get('error_description', 'No description provided')
+            error_uri = token_response.get('error_uri', '')
+            
+            logger.error(
+                f"Token acquisition failed: {error_code} - {error_description} | "
+                f"CLIENT_ID: {CLIENT_ID[:8]}... | "
+                f"REDIRECT_URI: {REDIRECT_URI} | "
+                f"TENANT_ID: {TENANT_ID}"
+            )
+            
+            # Provide more helpful error message based on error code
+            if error_code == "invalid_client":
+                error_msg = "Invalid client credentials. Please check CLIENT_ID and CLIENT_SECRET configuration."
+            elif error_code == "invalid_grant":
+                error_msg = "Invalid authorization code or redirect URI mismatch."
+            else:
+                error_msg = f"Authentication failed: {error_description or error_code}"
+            
             return HTMLResponse(
-                content="<html><body><h1>Authentication Failed</h1><p>Could not acquire token.</p></body></html>",
+                content=f"""
+                <html>
+                    <head><title>Authentication Failed</title></head>
+                    <body>
+                        <h1>Authentication Failed</h1>
+                        <p>{error_msg}</p>
+                        <p>Error code: {error_code}</p>
+                        <p>Please contact support if this issue persists.</p>
+                    </body>
+                </html>
+                """,
                 status_code=400
             )