1 min read

Exchange online to retire basic authentication for SMTP AUTH

Picture of Jim Burns Jim Burns : Mar 21, 2026 10:30:58 AM

M365 Security

Microsoft announced updates regarding the deprecation of Basic Authentication (Basic Auth) for Exchange Online SMTP AUTH Client Submission. While the removal timeline has been refined, this change is a critical step to improve email security across Microsoft 365.

What’s Happening

Basic Authentication is a legacy method that sends usernames and passwords in plain text, making it vulnerable to credential theft, phishing, and brute force attacks. Microsoft is transitioning SMTP AUTH to OAuth as the supported authentication method.

Updated Timeline:
  • Now to December 2026: SMTP AUTH Basic Auth remains unchanged.
  • End of December 2026: Basic Auth will be disabled by default for existing tenants. Admins can enable it temporarily if needed.
  • New tenants after December 2026: Basic Auth will be unavailable; OAuth will be required.
  • Second half of 2027: Microsoft will announce the final removal date for Basic Auth on SMTP AUTH.
How This Affects Your Organization
  • Applications and devices using Basic Auth to send emails to Exchange Online will need to switch to OAuth once Basic Auth is fully retired.
  • The SMTP AUTH Clients Submission Report in the Exchange Admin Center now shows which connections are using Basic Auth versus OAuth.
  • If your client supports OAuth, begin migrating your IMAP, POP, or SMTP connections now.
For organizations that must continue using Basic Auth, alternatives include:
  • Internal emails: Use Microsoft 365 High Volume Email. 
  • Hybrid Exchange setups: Authenticate via on-premises Exchange Server or configure a Receive connector for anonymous relay. 
  • Third-party solutions for sending email through Exchange Online while using Basic Auth.
What You Should Do Now
  1. Check your SMTP AUTH usage: Use the updated report in the Exchange Admin Center to see which accounts are still using Basic Auth.
  2. Migrate to OAuth where possible: Plan your transition for all supported clients and devices.
  3. Plan for exceptions: Identify use cases that still require Basic Auth and consider alternatives.
  4. Communicate with your team: Inform IT staff and users about upcoming changes and potential disruptions.
Why This Matters

This change is about enhancing the security and reliability of your email service and protecting your data. Planning ahead will minimize disruption and ensure your organization is prepared when Basic Auth is fully retired.

Learn More:

Authenticate an IMAP, POP or SMTP connection using OAuth

 

Simplify, Streamline, and Stay Connected: What’s New in Microsoft Teams

Picture of Jim Burns Jim Burns : Jul 12, 2025 11:30:51 AM

When your day is full of meetings, messages, and moving priorities, even small inefficiencies in your digital workspace can add up. The latest...

Teams M365
Read More

Information Protection: Keep the Most Vital Information Safe

Picture of Jim Burns Jim Burns : Aug 9, 2025 10:12:53 AM

Every day, businesses create, share, and store vast amounts of sensitive data, making protection more important than ever. Organizations face...

Insights M365
Read More

How to Make Microsoft Planner Premium Actually Work for Your Team

Picture of Jim Burns Jim Burns : Sep 12, 2025 10:19:36 AM

Microsoft Planner Premium isn’t just another productivity app you add to your stack and forget about. Done right, it can become the central hub for...

M365 Microsoft Planner Premium Productivity
Read More