Blog Post

Exchange Team Blog
1 MIN READ

Announcing OAuth 2.0 support for IMAP and SMTP AUTH protocols in Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Apr 30, 2020
Ever since we announced our intention to disable Basic Authentication in Exchange Online we said that we would add Modern Auth (OAuth 2.0) support for the IMAP, POP and SMTP AUTH protocols. Today,...
Updated Jun 30, 2022
Version 6.0
All Posts
announcements
Documentation
exchange
exchange online
office 365
Decomplexity's avatar
Decomplexity
Brass Contributor
May 10, 2021

Last October I said on this thread “I assume you want to enable SMTP OIDC authentication and Oauth2 authorisation but block Basic (userid and password) Authentication. At present you cannot, because the enable/disable of SMTP AUTH is at the protocol level and not by authentication method.” – which was from a MSFT quote.

A couple of days later in the same thread I commented:

 

SMTP AUTH” is often assumed to be synonymous with “SMTP with Basic Authentication” but it isn’t. SMTP AUTH (RFC 4954) in particular does not specify an authentication method but merely provides a simple protocol (SASL) bolted on to SMTP for incorporating such a method. So any enable/disable  setting switch entitled ‘SMTP AUTH’ must either also specify an associated authentication method or be assumed to apply to all methods (hence ‘blocked at the protocol level’).

(IMAP4 RFC 1730 includes its equivalent of SASL but there is a separate standard IMAP AUTH RFC 1731 defining several possible authentication protocols, to which we must now add OIDC/Oauth2).

 

MSFT do themselves no favours (and confuse poor Admins) when using the phrases ‘Authenticated SMTP’ or ‘SMTP AUTH’ which has be taken to mean variously:

- SMTP with Basic Authentication

- SMTP with Authentication that is either Basic or OAuth2

- SMTP as a protocol

- the authentication protocol used by SMTP

 

Vide:

 

Admin Centre / Active Users / [Select user] / Mail tab / Manage email apps

simply has ‘Authenticated SMTP’ in the list

 

 

Exchange Admin Centre / Mailboxes / [Select mailbox] / Manage email app settings

does not show SMTP at all

 

 

Microsoft 365 Admin Centre / Settings / Org Settings / Modern Authentication

with TWO relevant settings:

 

‘Turn on modern authentication for Outlook 2013 for Windows and later

[which is unspecific about clients other than Windows Outlook since the page title is simply Modern Authentication !]

and

Allow access to basic authentication protocols

which inter alia lists Authenticated SMTP  

 

 

MSFT have made significant changes in the last six months, and what you want to do is entirely possible. We do it ourselves (based on the two documents note in my last post), albeit using Powershell for granular control over which email accounts get what type of authentication.

The easiest way to see what is possible is simply to set up a test email account, fire up Powershell for Exchange Online, and try out the various options (beware again of switching on the broad-brush Security Defaults).