Microsoft Is Ending SMTP Basic Auth –
Prepare Now, Not Later
Microsoft has officially announced that SMTP authentication via username and password (Basic Auth) in Exchange Online will be disabled by end of 2026. Printers, scanners, ERP systems and other legacy applications that currently send via SMTP with a password will stop working after that deadline. There is time for an orderly migration — if you start today.
What is happening?
Microsoft has been phasing out legacy authentication methods in Exchange Online for several years. After other protocols such as IMAP, POP and EWS were affected by this change in 2022, SMTP AUTH now follows on its own, later timeline.
With SMTP Basic Auth, an application sends its username and password with every connection — only Base64-encoded, which offers no real protection. An attacker who obtains these credentials can silently send emails on behalf of the organisation. OAuth2 (Modern Authentication) solves this with short-lived tokens issued specifically for a single application.
Common confusion: In October 2022, Microsoft disabled Basic Auth for IMAP, POP, EWS and other protocols — but SMTP AUTH ran on a separate, later schedule. If you are already experiencing issues today, it is most likely because SMTP AUTH was manually disabled in your tenant's security settings, or a Conditional Access policy is blocking legacy auth.
The timeline
Microsoft has split the deprecation of SMTP AUTH Basic Auth into several phases:
For existing Exchange Online tenants, SMTP AUTH with Basic Auth continues to work — provided it is enabled in tenant settings and no Conditional Access policy blocks it.
2026
SMTP AUTH with Basic Auth will be disabled by default for all tenants. Administrators will still be able to re-enable it manually per tenant or mailbox — but this option is time-limited.
Microsoft will announce the exact date of the complete shutdown in H2 2027. After this date, no manual re-enabling will be possible — OAuth2 becomes the only option.
For newly created Microsoft 365 tenants, SMTP AUTH with Basic Auth is already unavailable today. Anyone setting up a new tenant must use OAuth2 from day one.
Why act now anyway? The deadline sounds comfortable — but in practice, migration takes longer than expected: Azure app registration, internal approvals, testing across all devices and applications, potentially ordering new hardware. Organisations that start early migrate in an orderly fashion. Those who wait until November 2026 migrate under pressure.
Which systems are affected?
Any application or device that sends email through Exchange Online via SMTP with a username and password is affected:
Printers & scanners
Multifunction devices with scan-to-email from Kyocera, Ricoh, Canon, Konica Minolta, HP, Xerox — typically without OAuth2 support in firmware.
ERP & business software
Sage, Lexware, Infor, older SAP installations, Microsoft Dynamics NAV (older versions), and many other systems sending invoices and order confirmations via SMTP.
Hotel software & PMS
Oracle Fidelio Suite 8, Opera, Protel, Sihot and other property management systems sending booking confirmations and invoices via SMTP.
Monitoring & backup
PRTG, Zabbix, Check_MK, Veeam, Backup Exec and similar tools that send alerts and reports via SMTP.
CRM & DMS
Document management systems and CRM software that send notifications, workflow emails and reports via SMTP.
Custom applications
In-house .NET, Python, PHP and PowerShell scripts and automations that use SMTP for email delivery.
What are the options?
Local SMTP relay on a Windows server
Recommended for legacy devicesA program on your Windows server accepts emails via plain SMTP without a password and forwards them to Microsoft 365 via OAuth2. Your devices and applications require no changes — you simply enter the server's IP address as the SMTP host instead of smtp.office365.com.
- No changes to printers, ERP or other systems
- Email content never leaves your network via a third-party server
- GDPR-friendly — ideal for healthcare, law firms, public authorities
- One-time cost, no subscription
Upgrade the device or software to OAuth2
If your device or software supports OAuth2 or a firmware update is available, you can switch directly to Modern Authentication without needing a relay.
Challenge: Many devices will never receive an update. Configuration is required per device. Often not possible for older multifunction printers.
IP-based SMTP relay via Exchange Online connector
Microsoft allows email delivery without authentication if the sender's IP address is whitelisted in an Exchange connector. No OAuth2 required.
Challenge: Requires a static, public IP address, access to the Exchange Admin Center, and careful configuration. Not suitable for dynamic IP addresses.
Cloud-based SMTP relay service
Third-party providers such as SendGrid or Mailjet accept emails via SMTP and forward them on. No server infrastructure required.
Challenge: Email content (invoices, contracts, patient data) passes through external servers. Monthly costs. Potentially problematic for privacy-sensitive industries.
Frequently asked questions
What is SMTP Basic Auth and why is Microsoft removing it?
SMTP Basic Auth is the method of authenticating with an SMTP server using a username and password. With every connection, the credentials are transmitted only Base64-encoded — which offers no real protection and can easily be intercepted.
Microsoft is removing this method because it does not support multi-factor authentication (MFA) and is vulnerable to password spraying and credential stuffing attacks. OAuth2 uses short-lived tokens issued for a specific application instead of transmitting the actual password.
When exactly is Microsoft disabling SMTP Basic Auth?
Microsoft is planning the shutdown in two phases:
- End of 2026: SMTP AUTH with Basic Auth will be disabled by default for existing tenants. Administrators can still re-enable it manually after that point.
- Second half of 2027: Microsoft will announce the final shutdown date. From then on, no manual re-enabling will be possible.
For newly created tenants, SMTP AUTH with Basic Auth is already unavailable today.
Why is my printer or ERP system already unable to send emails?
There are several possible causes, even though the final shutdown has not yet taken place:
- Tenant settings: Your administrator has manually disabled SMTP AUTH with Basic Auth for the tenant or the specific mailbox.
- Conditional Access: Security policies block legacy authentication without explicitly exempting SMTP AUTH.
- New tenant: For more recent Microsoft 365 tenants, SMTP Basic Auth is already not enabled by default.
- Confusion with 2022: The shutdown of other protocols (IMAP, POP, EWS) in October 2022 is sometimes incorrectly applied to SMTP AUTH.
Do I need to replace my printers, scanners or ERP software?
In most cases, no. Your devices and applications can continue sending via classic SMTP — just not with a password directly to Microsoft 365. With a local SMTP relay like SMTPly on your Windows server, almost nothing changes in your devices' configuration: you simply enter the Windows server's IP address as the SMTP host.
I have many devices from different manufacturers. Do I need to reconfigure each one?
With a central SMTP relay you configure the Windows server once. All devices and applications then connect to this single server — regardless of manufacturer or model. The change per device is limited to entering the new server IP address as the SMTP host, which typically takes a few minutes.
Does SMTPly work with my ERP, hotel system or industry-specific software?
Yes — SMTPly works with any software that can send email via SMTP. This includes Sage, Lexware, Infor, older SAP versions, Oracle Fidelio Suite 8, Opera, Protel, PRTG, Veeam and custom applications in .NET, Python, PHP or PowerShell.
Requirement: the software must support SMTP on port 25 or 587. No password authentication is required by SMTPly — it simply accepts open connections from your server's IP.
Is my email content safe when it goes through SMTPly?
Yes. SMTPly runs exclusively on your own Windows server. Email content travels directly from your server to Microsoft 365 — no third-party server is in between. OAuth2 credentials are stored DPAPI-encrypted. Message bodies and attachments are never stored or logged.
For industries with strict data protection requirements (healthcare, law firms, public authorities, hospitality) this is a significant advantage over cloud relay services.
How complex is the SMTPly setup?
Setup typically takes 20–45 minutes:
- Azure app registration (approx. 10–15 min.): Create an app in the Microsoft Entra Admin Center and grant the
Mail.Sendpermission. The built-in setup wizard guides you through every step. - Reconfigure devices (approx. 1–2 min. per device): Change the SMTP server address to the Windows server's IP.
- Send a test mail: Result immediately visible in the dashboard.
What does SMTPly cost?
SMTPly costs €149 one-time per Windows server — no subscription, no recurring costs. The license covers unlimited devices and applications sending through that server. A 14-day fully functional trial is available at no cost.
What happens if I do nothing until end of 2026?
From end of 2026, SMTP AUTH with Basic Auth will be disabled by default for your tenant. All printers, scanners and applications that have been sending via SMTP with a password will stop working.
Administrators will be able to re-enable SMTP Basic Auth manually after that — but only for a limited time. By the second half of 2027, that option will also be removed.
Prepare now — not in December 2026
SMTPly is up and running in under an hour and makes your entire SMTP infrastructure future-proof — without replacing hardware, without cloud services, without monthly costs.
€149 one-time · 1 license per server · unlimited number of devices