Timeline

The end of Basic Authentication for SMTP (SMTP Auth) has been postponed from September 2025 to March 1, 2026, with a final cutoff planned for April 30, 2026.

The new deadlines are shown in the image below.

SMTP Auth Report

Via Exchange Admin Center

To identify accounts or addresses using Basic SMTP Authentication, Microsoft provides reports.
Go to Exchange Online Admin Center > Reports > Mail Flow> SMTP AUTH clients report (Direct link: https://admin.cloud.microsoft/exchange?#/reports/smtpauthmailflowdetails)

In the report, check the Authentication protocol column and look for the value Basic Authentication to identify accounts that use this.

If you want more details about the specific emails, you can request a full report by clicking on Request Report.

.

You’ll need to enter a name, a start and end date, and an email address to receive the download link. Depending on your email volume, report generation may take several hours.

You’ll receive a download link at the address specified. Depending on your email volume, report generation may take several hours.

SMTP Auth Report via PowerShell

If you follow this blog or my posts on LinkedIn, you know I’m not a fan of too much "click-click", I prefer going straight to the point (via PowerShell or other tools).

As previously mentioned, you can request a report from the report page. But if you prefer to do it directly via PowerShell, it’s possible:

 Start-HistoricalSearch -ReportTitle "Custom SMTPBasicAuth" -ReportType "SmtpCSReport" -StartDate (Get-Date).AddDays(-2) -EndDate (Get-Date) -NotifyAddress [email protected]

To check the progress status:

Get-HistoricalSearch | Select-Object Identity, SubmitDate, Status, ReportTitle, EstimatedCompletionTime, JobProgress

You’ll receive a download link at the address specified in NotifyAddress. Depending on your email volume, report generation may take several hours.

Early end of SMTP Basic Auth

My tenant is already blocked for sending via SMTP Basic Auth

Mon tenant est déjà bloqué pour l'envoi SMTP Basic Auth

If you have never used Basic Authentication, it is likely that Microsoft has already disabled SMTP Basic Auth. In fact, in their article about the end of Basic Auth on other protocols at the end of 2022:

What we are changing
We removed the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Autodiscover, Outlook for Windows, and Outlook for Mac.

We also disabled SMTP AUTH in all tenants where it wasn't being used.

You can check this with the command :

Get-TransportConfig | Select SmtpClientAuthenticationDisabled

If it's True, then it's already disabled on your tenant.

Although I don't recommend reactivating it, you can reactivate it using :

Set-TransportConfig -SmtpClientAuthenticationDisabled $false

I want to disable SMTP Basic Auth globally now

If you don't want to wait for Microsoft to disable it, you can disable SMTP Basic Auth for your entire organization right now:

Set-TransportConfig | Select SmtpClientAuthenticationDisabled

I want to disable SMTP Basic Auth on only a few mailboxes right now

You can also block SMTP Basic Auth on most of your mailboxes, while retaining a few for the time it takes to migrate them. To block SMTP Basic Auth on a box :

Set-CASMailbox -Identity <MailboxIdentity> -SmtpClientAuthenticationDisabled $false

Replacement Solutions for SMTP Auth

💡
If you have any recommendations for open source tools, feel free to share them in the comments, and I'll add them to the article.

You have several options:

General recommendations regardless of your choice:

  • uses a currently supported solution to avoid having to start all over again in a few months' time. That's why I haven't included IIS SMTP (which is based on IIS 6, unsupported for many, many years and even discontinued as of Windows Server 2025), nor hMail, which have been widely used solutions but are no longer supported.
  • do not use Exchange Online’s Direct Send as a replacement (anonymous sending without a connector), it’s even recommended to block it: https://itpro-tips.com/block-direct-send-in-exchange-online/
  • secure your sending platform: unauthorized access can be a serious risk, especially if you handle client domains (marketing, mass mailing, etc.)
  • use a dedicated subdomain like app.domain.com for application messaging.

Comments

banner-Bastien Perez
Bastien Perez's avatar

Freelance Microsoft 365 - Active Directory - Modern Workplace

France