Timeline

The end of Basic Authentication for SMTP (SMTP Auth) has been postponed from September 2025 to March 1, 2026, with a final cutoff planned for April 30, 2026.

The new deadlines are shown in the image below.

SMTP Auth Report

Via Exchange Admin Center

To identify accounts or addresses using Basic SMTP Authentication, Microsoft provides reports.
Go to Exchange Online Admin Center > Reports > Mail Flow> SMTP AUTH clients report (Direct link: https://admin.cloud.microsoft/exchange?#/reports/smtpauthmailflowdetails)

In the report, check the Authentication protocol column and look for the value Basic Authentication to identify accounts that use this.

If you want more details about the specific emails, you can request a full report by clicking on Request Report.

.

You’ll need to enter a name, a start and end date, and an email address to receive the download link. Depending on your email volume, report generation may take several hours.

You’ll receive a download link at the address specified. Depending on your email volume, report generation may take several hours.

SMTP Auth Report via PowerShell

If you follow this blog or my posts on LinkedIn, you know I’m not a fan of too much "click-click", I prefer going straight to the point (via PowerShell or other tools).

As previously mentioned, you can request a report from the report page. But if you prefer to do it directly via PowerShell, it’s possible:

 Start-HistoricalSearch -ReportTitle "Custom SMTPBasicAuth" -ReportType "SmtpCSReport" -StartDate (Get-Date).AddDays(-2) -EndDate (Get-Date) -NotifyAddress [email protected]

To check the progress status:

Get-HistoricalSearch | Select-Object Identity, SubmitDate, Status, ReportTitle, EstimatedCompletionTime, JobProgress

You’ll receive a download link at the address specified in NotifyAddress. Depending on your email volume, report generation may take several hours.

Replacement Solutions for SMTP Auth

You have several options

General recommendations regardless of your choice:

  • Do not use Exchange Online’s Direct Send as a replacement (anonymous sending without a connector), it’s even recommended to block it: https://itpro-tips.com/block-direct-send-in-exchange-online/
  • Secure your sending platform: unauthorized access can be a serious risk, especially if you handle client domains (marketing, mass mailing, etc.)
  • Use a dedicated subdomain like app.tondomaine.com for application messaging.

Comments

banner-Bastien Perez
Bastien Perez's avatar

Freelance Microsoft 365 - Active Directory - Modern Workplace

France