Forum Discussion
Send Mail (SMTP) through Office 365 with MFA
When using Option 1, MFA has everything to do with it. Option 1 requires authentication to work and I have since been able to confirm from Microsoft that Option 1 will not work when MFA is enabled.
Option 2 will not work in our environment, as the emails generated will often be sent externally. Option 2 (Direct Send) will only send to internal O365 recipients.
Option 3 is still in question. We already have send connectors in-place due to our hybrid configuration. Still waiting on a response from Microsoft if we can modify these settings to all relay but without causing issues with our Hybrid. We will eventually move away from this and our internal mail server which is why we are not deploying new services that point to our internal mail server.
Therefore for #1 you would need to login with the actual From address and not another account, but then MFA would impact you. This is why I did not suggest you try Option #1 and only either #2 or #3.
For either of these, it does not matter if the recipient is internal or external. This is regardless what it says in the support article under Direct Send about it being for internal mailboxes only (see the other scenarios text where it talks about using Direct Send for mailing lists - which are external by their nature).
As for #3, you realise when you say "We will eventually move away from this and our internal mail server which is why we are not deploying new services that point to our internal mail server. " that with hybrid you will never move away from this scenario. With hybrid you need to maintain an on-premises Exchange Server for cloud mailbox management as you are doing AD Sync. Given that you have an on-premises server, you would use that as your apps and devices SMTP relay device as well. Microsoft have said they are working on improving the management experience with hybrid at Ignite last year, but that does not cover the need for SMTP relay scenarios like you describe.
The reason I mention we are moving away from the Hybrid solution is that we are moving away from having everything on-premise and to AzureAD and Azure VMs. Our current setup does point to our on-premise Exchange server; however, we plan to phase that out as we consolidate solutions, move to Azure VM and migrate to Office 365 SharePoint. The goal is to be moved off of our on-premise servers by end of the year, which is why I do not want to point any new projects to our On-premise Exchange server. The do not plan on maintaining an on-premise AD, which is the only reason to keep running in a Hybrid scenario.
The error message I originally included was when I was assigning the non-MFA account to our SMTP configuration and sending using an MFA account. Since Option 1 does not work with MFA accounts, that is where I am running into an issue.
- Yes, which is why I said options 2 or 3, and both will work for you even if your Exchange hybrid role server is in Azure.
By the way, if they don't plan on maintaining an on-premises AD, what are the users going to login to? Unless you are going cloud accounts completely and turning off AD, you still need local domain controllers to the users for efficient login.Per Microsoft's article that I originally included, Option 2 will not work for sending emails to external users (live.com, gmail.com, etc.)
As far as what users will be logging into; Azure AD.