REDMOND — Microsoft officially began the phased deactivation of Basic Authentication for Exchange Online’s Client Submission protocol — known as SMTP AUTH — on March 1, 2026, initiating a multi-stage retirement process that will eventually block all username-and-password login attempts over the service’s outbound email submission endpoint.
The final and most significant deadline concerns SMTP AUTH for Client Submission. Microsoft’s Exchange Team announced that SMTP AUTH Basic Authentication will be permanently retired through phased implementation beginning March 1, 2026, reaching complete shutdown by April 30, 2026. However, following an updated timeline published on January 27, 2026, Microsoft 365 tenants can use Basic Authentication with SMTP AUTH to submit messages to Exchange Online for processing until the end of December 2026, at which time Microsoft will disable Basic Authentication for SMTP AUTH.
SMTP AUTH for Client Submission represents the last major component of Basic Authentication still functioning in Exchange Online, making its pending retirement particularly significant for transactional email systems and automated email sending applications. SMTP AUTH allows applications and scripts to authenticate with SMTP servers and send email on behalf of users — a capability essential for automated email generation, marketing platforms, and business process automation systems.
—
What Is Changing and When
The change is rolling out gradually starting on March 1, 2026, when a percentage of Basic Auth submissions will begin failing, and will reach 100% rejection in April 2026. Under the revised January 2026 timeline, however, the hard cutoff for existing tenants has been extended.
The Exchange Team’s January 27, 2026 update makes three concrete commitments: leave behavior unchanged through December 2026; disable SMTP AUTH Basic Authentication by default for existing tenants at the end of December 2026 (but allow administrators to re-enable it); make SMTP AUTH Basic Authentication unavailable by default for new tenants created after December 2026 while supporting OAuth as the authentication method; and announce a final removal date in the second half of 2027.
Once Basic Auth is permanently disabled, any clients or apps connecting using Basic Auth with Client Submission (SMTP AUTH) will receive this response: *550 5.7.30 Basic authentication is not supported for Client Submission.* This error is a permanent rejection (5xx code). The sending server will not retry. Emails are not queued: they are lost immediately.
—
Why Microsoft Is Making This Change
Basic Auth is a legacy authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing, and brute force attacks. To improve the protection of customers and their data, Microsoft is retiring Basic Auth from Client Submission (SMTP AUTH) and encouraging customers to use modern authentication methods that are more secure.
Basic Authentication transmits user credentials using Base64 encoding, which is not a form of encryption and can be easily decoded by anyone who intercepts the network traffic, making it essentially cleartext transmission of passwords over the network. Attackers with access to Base64-encoded username and password sets can decode them in seconds without brute force.
Microsoft previously revealed that 480,000 accounts were compromised by password spray attacks, and 99% of those spray attacks used Exchange Online Basic Auth with IMAP4 and SMTP. Microsoft reported that a 67% reduction in compromises occurs for tenants who disable legacy authentication.
This deprecation aligns with Microsoft’s Secure Future Initiative. It reduces the attack surface amid rising credential theft campaigns.
—
Who Is Affected
The retirement affects a broad set of systems. Any application or device sending emails through smtp.office365.com or smtp-legacy.office365.com with a username and password is affected.
Specifically impacted systems include multifunction devices, like printers or scanners, that email files and lack OAuth support, as well as any legacy application that is still configured to use Basic Authentication. Also at risk are older web apps or internal tools that send email notifications — for example, password resets or alerts — using hardcoded SMTP credentials.
Updating devices like multifunction printers and scanners is particularly challenging. Only the device vendors can upgrade code, and many customers report blank looks when asking vendors about their plans to upgrade devices to support OAuth for client submissions.
It is important to distinguish between two sending mechanisms in Exchange Online: the Basic Auth retirement only affects Client Submission. IP-based SMTP relays are not affected.
—
What Organizations Must Do
Modern authentication (OAuth 2.0 token-based authorization) has many benefits: OAuth access tokens have a limited usable lifetime and are specific to the applications and resources for which they are issued, so they cannot be reused. Enabling and enforcing multifactor authentication (MFA) is also simple with Modern Authentication.
For organizations that cannot transition directly to OAuth 2.0, Microsoft has outlined several alternatives. If using Basic Auth with Client Submission (SMTP AUTH) to send emails to recipients internal to the tenant, organizations can use High Volume Email for Microsoft 365. If sending mail to both internal and external recipients, Azure Communication Services Email is available.
High Volume Email is currently in preview, with General Availability targeted for March 2026. It supports OAuth 2.0 and will continue to allow Basic Authentication for HVE only until September 2028.
If an update is not available to allow an application or device to support OAuth, the typical course of action is to remove Exchange Online from the equation and replace it with a different SMTP server. Another solution proposes the translation of Basic Authentication commands to OAuth using a local proxy.
Administrators can identify which systems in their tenants are still using Basic Auth. Microsoft updated the SMTP AUTH Clients Submission Report in the Exchange Admin Center to show if Basic Auth or OAuth is being used to submit email to Exchange Online.
—
Background
In 2019, Exchange Online began a multi-year effort to disable Basic Auth. This process completed in late 2022, with Client Submission (SMTP AUTH) being the only exception.
Microsoft removed the ability to use Basic Authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Autodiscover, Outlook for Windows, and Outlook for Mac. SMTP AUTH Client Submission was left as the final holdout due to widespread dependency across automated systems and legacy hardware.
Previously, Microsoft wanted to close off Basic Authentication for SMTP AUTH in September 2025, but following customer pushback, adjusted those dates and in June 2025 announced their intention to begin rejecting a small percentage of SMTP AUTH submissions on March 1, 2026. The January 2026 revision then further extended the effective hard deadline for existing tenants to December 2026, with the final permanent removal date to be announced in the second half of 2027.
In Microsoft’s own words: “We understand that many customers continue to face real challenges modernizing legacy email workflows and need sufficient time to adopt viable, secure alternatives. Based on customer feedback and visibility into adoption progress, we are refining the Exchange Online SMTP AUTH Basic Authentication Deprecation timeline to provide clearer milestones and additional runway.”
Google began restricting less secure apps to new users in Summer 2024 and completely disabled Basic Authentication for all Google Accounts on March 14, 2025. This affected email clients including older versions of Outlook, Apple Mail, Samsung Mail, and other IMAP/POP-based applications. This parallel implementation by major email providers suggests industry-wide recognition that Basic Authentication has become a liability in modern email infrastructure.
—
Timeline at a Glance
– March 1, 2026: Phased rejection of Basic Auth SMTP submissions begins; a percentage of submissions start failing.
– April 30, 2026: Originally targeted for 100% rejection (under the June 2025 plan).
– End of December 2026: SMTP AUTH Basic Authentication will be disabled by default for existing tenants. Administrators will still be able to enable it if needed.
– After December 2026: New tenants will have SMTP AUTH Basic Authentication unavailable by default. OAuth will be the supported authentication method.
– Second half of 2027: Microsoft will announce the final removal date for SMTP AUTH Basic Authentication.
—
Sources
- Microsoft Tech Community — *Exchange Online to retire Basic auth for Client Submission (SMTP AUTH)* — techcommunity.microsoft.com
- Microsoft Tech Community — *Updated Exchange Online SMTP AUTH Basic Authentication Deprecation Timeline* — techcommunity.microsoft.com
- Microsoft Learn — *Deprecation of Basic authentication in Exchange Online* — learn.microsoft.com
- Office 365 IT Pros — *SMTP AUTH Client Submission Retirement Delayed* — office365itpros.com
- GetMailbird — *Microsoft’s Modern Authentication Enforcement in 2026: What Email Users Need to Know About IMAP, POP, and SMTP Changes* — getmailbird.com
- Innovia Consulting — *Microsoft to Retire Basic Auth SMTP for Exchange Online: What Business Central & NAV Users Need to Know* — innovia.com
- CaptainDNS — *Exchange Online SMTP Basic Auth end: OAuth migration* — captaindns.com
- Windows Forum — *Exchange Online SMTP AUTH Basic Authentication: 2026 Default Disable and 2027 Removal Timeline* — windowsforum.com
- Faxination / Fenestrae — *Microsoft Timeline for Basic Authentication Deprecation* — faxination.com
- Primend — *Exchange Online to Retire Basic Authentication for Client Submission (SMTP AUTH)* — primend.com
- CyberPress — *Exchange Online SMTP AUTH Deprecation Looms – Tenants Urged To Migrate Now* — cyberpress.org
- IT@Cornell — *Microsoft 365 Ending Basic Authentication for SMTP* — it.cornell.edu