Blog Post

Exchange Team Blog
4 MIN READ

Exchange Online to retire Basic auth for Client Submission (SMTP AUTH)

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Apr 15, 2024
Update 6/11/2025: We updated the timeline of this deprecation mentioned in this post. Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) gra...
Updated Jun 12, 2025
Version 4.0
announcements
exchange online
security
transport
davidsain's avatar
davidsain
Copper Contributor
Aug 29, 2024

Hi Volodymyr_Shapovalov and IanMcDonald 

 

I suspect lack of device/application support are going to the biggest nightmare we would encounter with OAUTH2.  Some vendors are not even aware that this is coming. It's not like there is some billboard out there that they drive past every day.  I brought the issue up to TotalFBO (software used by aircraft maintenance companies) and they took it to their development team, so they might incorporate this in the future.

SMTP relay will work if you have static IP addresses for your hundreds of customers.  We have over 600, most with static but some using dynamic.  If you have static, you will have to delist your address from the Spamhaus PBL annually.

 

Direct send will have the same PBL issue as relay as the sent email is not authenticated. I really don't see any benefit of Direct Send other than not having to use TLS. Direct Send is limited to internal addresses only, but that doesn't affect most of our customers as most are internal only anyway. They just want to scan to their mailbox.  Scan to SharePoint is sometimes possible, but SMB scanning can be finicky. FTP/SFTP is so much more stable but not offered by SharePoint.

We have started pushing all of our customers to Conditional Access so we have the ability to turn off security defaults and enable SMTP Auth if desired. But it's a process and we cannot do them all at once. And since it's a mailbox, the sent email will accumulate and might be an issue for compliance/legal. So might not be a good idea.

OAUTH2 support is available from some of the large printer manufacturers as firmware updates.  Not from HP but that's expected; from them you have to buy a new model to get OAUTH2.  Canon, Ricoh, and others will have options for some of their equipment.

OAUTH2 will have a token one will have to renew on a regular basis which is going to be work to keep track of and change out ever interval. Imagine doing that 600 times every 2 years (the maximum you can set it to).  Maybe it can be renewed with a PowerShell script but still needs to be manually updated on the device/app.

I encountered a SMTP to OAUTH2 proxy/gateway app on GitHub.  Might be a solution for some as long as you don't mind renewing all those tokens on a regular basis. https://github.com/simonrob/email-oauth2-proxy

I think the best solution is to skip Microsoft altogether and just use a third party like AuthSMTP, SMTP2Go, etc. It's inexpensive, but one more thing to bill to the customer so a little extra work but not the hassle this has become.