Securing Authenticated SMTP in Exchange Online

Published 04-09-2020 09:00 AM 35.7K Views

The SMTP AUTH protocol is used to submit millions of emails every day. The majority of the clients connecting to Exchange Online like this are devices such as multi-function printers or some piece of software that send automated emails. Email clients such as Outlook rarely use this protocol anymore and instead make use of other protocols secured with Modern Authentication (OAuth).

SMTP AUTH (also known as authenticated SMTP client submission) is a legacy internet protocol which does not support OAuth by design. All clients have ever needed to send messages was a username and password, and these credentials are all too often obtained and used by attackers. As we have previously indicated we are working on adding support for OAuth with SMTP AUTH, but we also know that many clients have yet to add support for OAuth. For that reason Basic Authentication will need to be supported in Exchange Online for the foreseeable future, though it is still very wise to turn off SMTP AUTH in Office 365 tenants when possible.

We previously added a setting to make it possible for tenants to disable SMTP AUTH for their entire organization. Additionally, we ensured that each mailbox has a setting to override the tenant setting and enable SMTP AUTH. These two settings will provide administrators with the granularity required to allow most mailboxes to have SMTP AUTH disabled, and a few select mailboxes to have it enabled. You can find out more about these settings here.

To reduce what attackers can do with compromised user credentials, we are also taking steps to disable SMTP AUTH by default in Exchange Online. Firstly we have already started rolling out a change to disable it for new Office 365 tenants. This means Exchange administrators of newly created tenants will need to enable SMTP AUTH for any mailbox that requires it, using the per-mailbox setting we provide.

The next step will be to disable SMTP AUTH for existing tenants who do not make use of the SMTP AUTH protocol for sending any messages. Affected customers will receive targeted Message Center posts if they are affected by this in the next few months. Finally, the last group of customers are those who have some mailboxes using SMTP AUTH. We will work to have the disable setting for their tenant set while enabling the mailbox setting to continue their usage of SMTP AUTH. There is no ETA yet for this work.

Exchange administrators are free to take proactive steps to disable SMTP AUTH for all mailboxes that do not require it. Customers with on-premises Exchange servers can also disable SMTP AUTH for all their hosted mailboxes and, instead, only allow sending using SMTP AUTH for those on-premises servers when the device or client is on their own network. This blocks attackers on the internet from trying to use Exchange Online to send from one of your hosted mailboxes. 

Note: New tenant administrators should note that Security Defaults may also be turned on for their organization. This policy enforces a higher default security configuration and includes enforcing multi-factor authentication and disabling basic authentication for the entire tenant. As it does not allow exceptions, it is not an option for organizations that need to use SMTP AUTH for a few mailboxes. You can find out more about Security Defaults and how to disable it, if necessary, here.

We hope you found this update useful, please feel free to leave comments and feedback below.

Sean Stevenson

Frequent Contributor

@The_Exchange_Team Thanks for clarifying this plan. We hope that all our devices and apps using SMTP AUTH today will add support OAuth with SMTP AUTH.


However, we do see many old devices and apps that probably never get support for anything else than just SMTP AUTH. Is the plan long term (1-5 years?) to completely turn off SMTP AUTH for all mailboxes (even our exceptions)? Just trying to check if we need to start planning to spinning up our own on-premises SMTP gatways on our local network for these old legacy devices and apps.

Occasional Contributor

Funnily enough even though its highly used, its the recommended approach - obviously given the third party application or device allows it.
The approach to introduce Modern Auth for SMTP Client submission will be - its more or less if the third party systems will allow it.

Senior Member

Thanks for clarifying that there is a per-mailbox setting available for smtp legacy auth, I can't remember having seen that in the umpteen change notification email that Office 365 has been sending out. This makes it reasonable to turn it off, but still allow firewalls, scanners and whatnot to send email.


A couple of suggestions on things you could provide to make it easier for administrators to improve security:

- Provide a way to disallow login on device accounts, and only allow app passwords for smtp authentication. An administrator should be able to create a new app password without logging in as the device account.


- Provide an installable smtp proxy that accepts lan smtp and sends them out to Office 365 using OAuth. As a docker container or similar. 

With another option for securing the tenant, by creating authentication policies (1 which blocks basic auth for SMTP and 1 which allows basic auth for SMTP), assigning the general user population the block auth policy and the exception users the allow auth policy, how does the disabling SMTP auth in the transport config, with per mailbox exceptions, differ and does it achieve the same outcome? (Basic Auth limited).


@Jonas Back There are no plans to turn it off any time soon, and our hands are tied until usage dramatically decreases.


@Fredrik Forséll  Good suggestions. We'll keep those in mind.


@Matthew Levy It does achieve the same outcome.

Occasional Contributor

If we disable this at the org level, does that affect on-prem mailboxes?  Currently, all of our users are in Exchange Online, but we have a small on-prem footprint for some service mailboxes etc. where apps are configured to use SMTP/IMAP to send and retrieve mail.  


Also, in the scenario where an MFP allows users to scan to email, would we need to keep SMTP AUTH enabled on all user mailboxes, or just the mailbox used by the MFP device as the sender address?

Occasional Contributor

Actually, I should clarify that the MFP devices mentioned are configured to use an on-prem Exchange Server receive connector.

Senior Member

Is it possible for an Administrator to enable SMTP only for OAUTH2 in Office365 but leave it disabled for AUTH (basic authentication) protocols? If so, how? I am happy to provide more information and clarify as needed. Also, if there is a better, more appropriate forum to post in, please let me know. Thanks!


Version history
Last update:
‎Apr 14 2020 02:27 PM
Updated by: