Table of Contents
New Date for Retirement Will be Announced Sometime in 2027
In the latest twist in Microsoft’s effort to retire basic authentication for the SMTP AUTH client submission protocol from Exchange Online, new guidance appeared on January 27 to set out what Microsoft must hope to be the last steps in the process. Previously Microsoft wanted to close off basic authentication for SMTP AUTH in September 2025, but following customer pushback, Microsoft adjusted those dates and in June 2025 announced their intention to begin rejecting a small percentage of SMTP AUTH submissions on March 1, 2026. The percentage of rejection would gradually increase to reach 100% on April 30, 2026. That won’t happen now.
In a nutshell, Microsoft 365 tenants can use basic authentication with SMTP AUTH to submit messages to Exchange Online for processing until the end of December 2026. At that time, Microsoft will disable basic authentication for SMTP AUTH. However, tenant administrators can reverse the block to allow apps and devices to resume using basic authentication to submit messages. In the second half of 2027, Microsoft will announce the final drop-dead removal date when basic authentication for SMTP AUTH will no longer be available.
New tenants created from January 2027 (or the end of December 2026) will be unable to use basic authentication with SMTP AUTH. If these tenants need to send messages from apps or devices, they must use OAuth.
I Need More Time
Microsoft’s logic for pushing the date out is that customers “face real challenges modernizing legacy email workflows.” Extra time is required to update code to remove basic authentication (username and password credentials) and replace it with OAuth, a task that Microsoft’s documentation takes many words to explain.
Updating PowerShell scripts is relatively easy because of the availability of off-the-shelf OAuth authentication in the form of the Send-MgUserMail and Send-MgUserMessage cmdlets from the Microsoft Graph PowerShell SDK. When Microsoft started on the journey to retire basic authentication for SMTP AUTH, examples of using these cmdlets were hard to find. That’s not the case now, and it’s easy to find many scripts that use the cmdlets in different ways, like attaching multiple files to messages.
The Device Issue
Updating devices like multi-function printers and scanners is more challenging. Only the device vendors can upgrade code, and I hear of many blank looks when customers ask vendors about their plans to upgrade devices to support OAuth for client submissions. If an update isn’t available to allow an application or device to support OAuth, the usual course of action is to remove Exchange Online from the equation and replace it with a different SMTP server (like SMTP2Go or even an on-premises Exchange Server).
Another solution proposes the translation of basic authentication commands to OAuth using a local proxy. I have not tested the effectiveness of the solution and cannot attest to how well it works in the wild. However, I’ve heard good things about it, so the local proxy approach could be worth investigating.
Microsoft in a Bind
Microsoft very badly wants to retire basic authentication for SMTP AUTH client submission, but they don’t want to make customers unhappy. SMTP AUTH is the last hurdle for a project to remove basic authentication for all email protocols that began with protocols like IMAP4, POP3, EWS, and MAPI in October 2022. At the time, Microsoft said “We are not touching SMTP AUTH and are done turning it off for now.” Wise heads realized then that removing basic authentication from SMTP AUTH would be a struggle, and they were right.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Hi Tony, great article as usual. Some organisations have leveraged HVE for MFDs albeit the limitations.
Hi Tony,
I have a quick question—am I correct in understanding that the retirement of Basic Authentication for SMTP AUTH applies only to Exchange Online? Since we’re using on‑premises SMTP in our hybrid environment, this change shouldn’t affect us. Please confirm if my understanding is correct.
Only Exchange Online.
Could you clarify whether SMTP AUTH refers to SMTP as a protocol, or just to basic password authentication within SMTP? From Microsoft’s documentation (aka.ms/smtp_auth_disabled), it seems like although they are on a big push to disable SMTP AUTH, they actually use this term to refer to Modern Auth as well, and that is going to continue being supported when this retirement period finally ends?
We’ve switched to Auth-Email.com for our own ageing MFPs, and I’m just hoping we won’t have to switch again when basic SMTP AUTH goes away.
This refers to the SMTP AUTH client suvmission protocol which allows client applications to submit SMTP messages to Exchange Online for processing. Basic authentication refers to using usernames and passwords as credentials for authentication. If you’ve switched to another SMTP service to process email sent by MFPs, you don’t need to worry about what Exchange Online does.