Microsoft announced updates regarding the deprecation of Basic Authentication (Basic Auth) for Exchange Online SMTP AUTH Client Submission. While the removal timeline has been refined, this change is a critical step to improve email security across Microsoft 365.
What’s Happening
Basic Authentication is a legacy method that sends usernames and passwords in plain text, making it vulnerable to credential theft, phishing, and brute force attacks. Microsoft is transitioning SMTP AUTH to OAuth as the supported authentication method.
Updated Timeline:
- Now to December 2026: SMTP AUTH Basic Auth remains unchanged.
- End of December 2026: Basic Auth will be disabled by default for existing tenants. Admins can enable it temporarily if needed.
- New tenants after December 2026: Basic Auth will be unavailable; OAuth will be required.
- Second half of 2027: Microsoft will announce the final removal date for Basic Auth on SMTP AUTH.
How This Affects Your Organization
- Applications and devices using Basic Auth to send emails to Exchange Online will need to switch to OAuth once Basic Auth is fully retired.
- The SMTP AUTH Clients Submission Report in the Exchange Admin Center now shows which connections are using Basic Auth versus OAuth.
- If your client supports OAuth, begin migrating your IMAP, POP, or SMTP connections now.
For organizations that must continue using Basic Auth, alternatives include:
- Internal emails: Use Microsoft 365 High Volume Email.
- Hybrid Exchange setups: Authenticate via on-premises Exchange Server or configure a Receive connector for anonymous relay.
- Third-party solutions for sending email through Exchange Online while using Basic Auth.
What You Should Do Now
- Check your SMTP AUTH usage: Use the updated report in the Exchange Admin Center to see which accounts are still using Basic Auth.
- Migrate to OAuth where possible: Plan your transition for all supported clients and devices.
- Plan for exceptions: Identify use cases that still require Basic Auth and consider alternatives.
- Communicate with your team: Inform IT staff and users about upcoming changes and potential disruptions.
Why This Matters
This change is about enhancing the security and reliability of your email service and protecting your data. Planning ahead will minimize disruption and ensure your organization is prepared when Basic Auth is fully retired.
Learn More: