Exchange Online to retire Basic auth for Client Submission (SMTP AUTH)
Published Apr 15 2024 10:21 AM 43K Views

Today, we are announcing that Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email.

In 2019, Exchange Online began a multi-year effort to disable Basic auth. This process completed in late 2022, with Client Submission (SMTP AUTH) being the only exception. We are now removing Basic auth from Client Submission.

Basic auth is a legacy authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing, and brute force attacks. To improve the protection of our customers and their data, we are retiring Basic auth from Client Submission (SMTP AUTH) and encouraging customers to use modern authentication methods that are more secure.

How will this change happen

In September 2024, we will update the SMTP AUTH Clients Submission Report in the Exchange admin center to show if Basic auth or OAuth is being used to submit email to Exchange Online. In January 2025, we will send a Message Center post to tenants who are using Basic auth with Client Submission (SMTP AUTH) to alert them to the upcoming change. In August 2025, about 30 days before we disable Basic auth we will send another Message Center post to tenants who are still using Basic auth with Client Submission (SMTP AUTH).

During September 2025, we will remove support for Basic auth with the Client Submission (SMTP AUTH) endpoints:

smtp.office365.com
smtp-legacy.office365.com 

Once Basic auth is permanently disabled, any clients or apps connecting using Basic auth with Client Submission (SMTP AUTH) will receive this response:

550 5.7.30 Basic authentication is not supported for Client Submission.

What do I need to do if I can use OAuth with Client Submission (SMTP AUTH)?

If your client supports OAuth, follow these steps:

What are the alternatives for customers who want to continue using Basic auth with Client Submission (SMTP AUTH)?

If you are a customer who must use Basic auth with Client Submission (SMTP AUTH), you will need to switch to one of the following alternatives before September 2025:

  • If you are using Basic auth with Client Submission (SMTP AUTH) to send emails to recipients internal to your tenant, you can use High Volume Email for Microsoft 365.
  • If you are using Basic auth with Client Submission (SMTP AUTH) to send emails to recipients internal and external to your tenant, you can use Azure Communication Services Email.
  • If you have an Exchange Server on-premises in a hybrid configuration, you can use Basic auth to authenticate with the Exchange Server on-premises or configure the Exchange Server on-premises with a Receive connector that Allow anonymous relay on Exchange servers | Microsoft Learn

Regardless of the volume of email, if you must use Basic auth to send email with Exchange Online, then you must use High Volume Email for Microsoft 365, Azure Communication Services for Email, or an Exchange Server on-premises in a hybrid configuration.

How to onboard to High Volume Email

High Volume Email for Microsoft 365 is a new service designed primarily for line of business applications and other high-volume SMTP Auth submissions that enables you to reliably send internal messages within Exchange Online at high volume. Customers using on-premises servers in an Exchange hybrid configuration to send a large volume of internal messages can use this service instead and decommission their on-premises servers. HVE is in Public Preview currently.

You can find detailed onboarding instructions at Manage high volume emails for Microsoft 365 in Exchange Online Public preview.

How to onboard to Azure Communication Services for Email

Azure Communication Services for Email offers businesses a centralized platform that lets them manage outgoing emails for all B2C communications and get insights into email traffic. You can use the SMTP support in Azure Communication Services to send emails easily and have more control over outgoing communications.

You can find detailed onboarding instructions at Email SMTP as service overview in Azure Communication Services.

Frequently Asked Questions

Why are you making this change?
We’re making this change to strengthen the protection of our service and your data from the increasing risks associated with Basic auth. The reasons to do this are many.

Wait! I still need to use Basic auth; how can I get it re-enabled in my tenant once it gets disabled in September 2025?
You will not be able to do this because Basic auth will be permanently disabled. Don’t waste your time engaging Support, as they cannot re-enable Basic auth for you.

What about an exception?! 
We cannot offer any exceptions; Basic auth will be permanently disabled. Please do not reach out to Support either, as they cannot grant an exception for you to use Basic auth.

Where can I read more about this?
Our official documentation is at Deprecation of Basic authentication in Exchange Online.

Summary

The only remediation for this is to update your client or app to support OAuth, use a different client or app that supports OAuth, or use a different email solution such as High Volume Email or Azure Communication Services for Email.

We understand that this change requires some adjustments, but we believe that this is a necessary step to enhance the security and reliability of our email service and your data.

Thank you for helping make Exchange Online more secure!

Exchange Online Transport Team

16 Comments
Co-Authors
Version history
Last update:
‎Apr 15 2024 10:21 AM
Updated by: