[German]I'm adding a topic to the blog that was announced by Microsoft back in April 2024, but hasn't yet received too much attention. A reader had already pointed this out to me some time ago. Microsoft will finally discontinue support for basic authentication with client submission (SMTP AUTH) in Exchange Online in September 2025. So anyone who uses this feature still has a year to react.
Blog reader Florian R. had already contacted me in mid-April 2024 in an email with the subject "smtp auth / office 365" and noted "I am surprised that there is no article about this". At the same time, he sent me a link to the Techcommunity article Exchange Online to retire Basic auth for Client Submission (SMTP AUTH) from April 15, 2024, in which Microsoft announces the end of basic authentication for client submission (SMTP AUTH).
End of support in Sept. 2025
Microsoft will permanently remove support for Basic Authentication with Client Transmission (SMTP AUTH) in Exchange Online in September 2025. After this date, applications and devices will no longer be able to use Basic Auth as an authentication method. Applications and devices must use OAuth from this date at the latest if they use SMTP AUTH to send emails.
Microsoft writes that it began a multi-year process to deactivate Basic Auth in Exchange Online back in 2019. This process was completed at the end of 2022, with Client Submission (SMTP AUTH) being the only exception. Microsoft will now remove Basic Auth from Client Submission.
The background to this step: Basic Auth is an outdated authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing and brute force attacks. To improve the protection of our customers and their data, we will phase out Basic Auth from Client Submission (SMTP AUTH) and encourage our customers to use modern and more secure authentication methods.
Roadmap for the changeover
Microsoft is preparing the shutdown in several steps so that administrators can react to this change. Here is the roadmap for the transition.
- In September 2024, the SMTP AUTH report for client delivery will be updated in the Exchange Administration Center. It will then show whether Basic Auth or OAuth is used to send emails to Exchange Online.
- In January 2025, Microsoft plans to send a Message Center post to tenants using Basic Auth with Client Submission (SMTP AUTH). The post will indicate the upcoming change.
- In August 2025, about 30 days before the deactivation of Basic Authentication, Microsoft will send another Message Center post to tenants who still use Basic Authentication with Client Submission (SMTP AUTH).
In September 2025, support for Basic Auth with Client Submission (SMTP AUTH) endpoints will end:
- smtp.office365.com
- smtp-legacy.office365.com
As soon as Basic auth is permanently deactivated, all clients or applications that establish a connection via Basic auth with Client Submission (SMTP AUTH) receive this response:
550 5.7.30 Basic authentication is not supported for Client Submission.
Microsoft provides a reference to the document Authenticate an IMAP, POP or SMTP connection using Authenticate an IMAP, POP or SMTP connection using OAuth. Customers who still need to use Basic Auth with Client Submission (SMTP AUTH) can find information on alternatives in the article EExchange Online to retire Basic auth for Client Submission (SMTP AUTH). The support document contains further details, e.g. for customers who have a high volume of emails.