Updated Exchange Online SMTP AUTH Basic Authentication Deprecation Timeline

Hi,

Could you please confirm the exact end date for SMTP AUTH Basic Authentication march 1st 2026 or December? We would like to ensure we plan and complete the necessary changes within our organization before the deadline.

Thanks for the update. I wish you'd send notifications as well as posting here!

We're in the process of switching to Auth-Email so that we can keep on using basic auth even after the deadline. Good to hear there will be a bit more time though.

This delay is hugely beneficial for my business as well... we are struggling due to a number of employees who are regulated by export control to use Exchange On-Premises as we face higher challenges of adopting Gov Cloud.

It would be extremely helpful if the Exchange team could:

1. Work with Google to figure out why Exchange On-Prem mailboxes can't use modern authentication with the Gmail app. That would at least give us an alternative to Outlook which is known to violate the export control regulations due to Exchange Online data caching.
   
   
2. Enable some mechanism to tag Export Control mailboxes on Exchange Online to restrict data caching in the first place without having to do Gov Cloud... I know, I know... wishful thinking since there's the marketing bit around pushing Gov Cloud.

Even with the delay, I don't think complete deprecation of basic SMTPAUTH auth is the best choice if it's pushing users towards poorer choices, which it does in my opinion.  For small businesses I see 3 options that don't involve signing up with an additional mail provider that supports SMTPAUTH (PLAIN):

1. Replace perfectly good devices that rely on SMTPAUTH (PLAIN).
2. Use a 3rd party service that accepts mail via SMTP using SMTPAUTH (PLAIN) and relays that mail using OAUTH.  This eliminates the primary benefit of OAUTH which is token validation without needing to store the authentication secret in a reversible format like SMTPAUTH (PLAIN) does.  However, instead of having reversible (aka plain text) secrets managed by Microsoft, people opting for this will have their authentication secrets stored in plain text by a 3rd party.  Right?
3. Use Azure Communication Services Email.  This adds complexity [1] and ultimately gives users more downsides.  Unless I'm mistaken, that link is explaining how to set up SMTPAUTH (PLAIN), but calling the password a secret.  Assuming that's correct, how is that a better option for my security?  Instead of a simple user you're going to have people trying to fumble their way through setting up an Entra App.  Even worse, for the user, they're going to have to attach a credit card to Azure which many small businesses don't need (or want).

I realize that option 3 will have a narrower scope in terms of what the user can do, and rate limits if you configure them, but that comes down to a choice by Microsoft.  Basic SMTPAUTH could have an app password that's scoped down to sending email.  In fact, for small business users, there are advantages to sending that mail from a monitored account that has an inbox since it makes it easier to discover a compromised account that's sending phishing emails (ie: no inbox rules with proper scoping means users see replies immediately).

Notice how those linked instructions in option #3 don't describe a solution for setting a reply-to address?  That's a little more complexity, if your device even supports the proper format, and you very quickly end up with option #2 above being the path of least resistance.  If that becomes popular enough, you run the risk of 3rd parties building misconfigured OATUH apps.  The Synology incident last year is a good example [2].

What you're doing here is shifting responsibility and liability.  Instead of giving customers a simple solution to continue using basic SMTPAUTH, like an app password and rate limits, you deprecate it from one product (MS365), but are going to leave it as an option in another (Azure) more complex product with a (proverbial) warning label.  People might opt for that and be worse off for it.

For small businesses that don't have a MSP, this is what would work better IMO:

1. Make basic SMTPAUTH an addon product with warnings about using it and an additional monthly cost.  Charge 2x a Business Basic subscription to penalize it's use if you need to.
2. Add an app password for basic SMTPAUTH that's narrowly scoped to sending mail.
3. Maybe add rate limits.  For something like scan to email, no one needs to send bulk mail.

Small businesses are cost conscious.  If you can add to the 5-year cost of a device that doesn't include OAUTH capability, that'll have an impact on their next purchase.

I know it's unlikely any work will be done to improve the existing product when deprecation is a funnel towards Azure services, but, in my opinion, we'd get better security in the short term if Microsoft hardened the usage around basic SMTPAUTH instead of shutting it off and leaving people with band-aid solutions.

1. https://learn.microsoft.com/en-us/azure/communication-services/quickstarts/email/send-email-smtp/smtp-authentication

2. https://modzero.com/en/blog/when-backups-open-backdoors-synology-active-backup-m365/

We just had a firmware update applied to a Konica Bizhub 650i.  I am using OAuth2 to send emails from the copier to a valid Microsoft 365 user email address that has a license.  The endpoint configured on the Konica is smtp.office365.com.  On the SMTP AUTH report from Exchange 365, it shows "Messages sent using SMTP AUTH" and authentication protocol "Modern Authentication" with 100% using TLS 1.3.  Is this still going to be deprecated since it is using SMTP AUTH but has modern authentication with OAUTH2?  If so, I'm not sure where to go from here since it is getting and using token access and OAUTH2.

Maybe now you guys can tighten up the Tech doc for Azure Comm Service setup, and also add some decent documentation on using OAuth 2.0 in Business Central.

New tenants created after December 2026: SMTP AUTH Basic Authentication will be unavailable by default. OAuth will be the supported authentication method.

To clarify, whilst SMTP Basic Authentication will be unavailable by default, will it be possible to enable for new tenants  after December 2026? (Before its removed for all customers at a later time)

This is a good news. For a large companies relying on exchange online using SMTP, this will be a huge change as each and every system is impacted which sends an email. Missing a few will cause a big interruptions. I would recommend those working on this changes to continue with it and get over it while at it.

I'm working with some customers who will be glad that this deadline has been delayed, there's a lot of legacy cleanup going on with Exchange (Server) related to al sorts of things. Giving more time will help those orgs deal with all of those changes in a more relaxed way. Yes, some things should've been fixed months or years back, but every experienced IT specialist knows how it goes. 

The only "irritation" I have is that this is the third time something got changed by the Exchange Team HOURS before an important meeting on breaking changes deadlines. COME ON! 😁

For tenants created after December 2026, is it still possible to enable SMTP AUTH Basic Authentication?