check before: 2025-09-01
Product:
Exchange, Microsoft 365 admin center
Platform:
Developer, Online, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message, User impact
Links:
Details:
Summary:
Exchange Online will retire Basic Auth for SMTP AUTH in September 2025. Users must switch to OAuth or other alternatives. The SMTP AUTH Clients Submission Report in the Exchange admin center will indicate the authentication method used. This change aims to enhance security against vulnerabilities associated with Basic Auth.
Details:
Updated October 18, 2024: We have updated the SMTP AUTH Clients Submission Report in the Exchange admin center, adding the Authentication Protocol column to show if Basic auth or OAuth is being used to submit email to Exchange Online. The data will build up over the next 90 days. Thank you for your patience.
Today, we are announcing that Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email.
Basic auth is a legacy authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing, and brute force attacks. To improve the protection of our customers and their data, we are retiring Basic auth from Client Submission (SMTP AUTH) and encouraging customers to use modern authentication methods that are more secure.
[When this will happen:]
We will be making this change in September 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2024-04-26
updated:
2024-10-19
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
More Info URL
XXXXXXX ... free basic plan only
MS Blog Link
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Retirement of Basic Authentication
Users relying on Basic Auth for SMTP AUTH will be unable to send emails after September 2025, leading to potential disruptions in email communication.
- roles: Email Administrators, End Users
- references: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
Increased Security Risks
Without proper transition to OAuth, organizations may face increased security risks due to reliance on outdated authentication methods, leading to potential data breaches.
- roles: Security Officers, IT Administrators
- references: https://learn.microsoft.com/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
User Experience Degradation
Users who do not transition to OAuth may experience service interruptions, resulting in frustration and decreased productivity.
- roles: End Users, Support Staff
- references: https://learn.microsoft.com/Exchange/mail-flow-best-practices/high-volume-mails-m365
Need for Alternative Solutions
Organizations must find and implement alternative solutions for email submission, which may require additional resources and training.
- roles: IT Administrators, Project Managers
- references: https://learn.microsoft.com/azure/communication-services/concepts/email/email-overview
Increased Support Requests
The transition away from Basic Auth may lead to an increase in support requests from users facing issues with email submission, straining IT resources.
- roles: Help Desk Staff, IT Support
- references: https://learn.microsoft.com/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Imagine you have a safe at home where you keep your valuables. The safe has an old lock that uses a simple key, which anyone could potentially copy if they got their hands on it. Now, suppose you decide to upgrade to a more modern lock that uses a combination code, making it much harder for someone to break in and steal your belongings. This is similar to what's happening with Exchange Online's move from Basic Authentication to OAuth for sending emails.
Basic Authentication is like that old key lock. It uses a straightforward method where usernames and passwords are sent over the network in plain text. This makes it easier for cybercriminals to intercept and misuse this information, much like someone copying your key. On the other hand, OAuth is like the new combination lock. It provides a more secure way to access your email system by using tokens instead of passwords, making it much harder for unauthorized users to gain access.
By September 2025, Exchange Online will no longer support Basic Authentication for sending emails. This means that any applications or devices that currently use this method will need to switch to OAuth or another secure alternative. Just like you would need to change the way you access your safe with the new lock, you will need to update your email systems to use OAuth.
To help with this transition, Microsoft has introduced a report in the Exchange admin center that shows whether Basic Authentication or OAuth is being used. This is like having a checklist to see which locks in your house still need upgrading. Microsoft will also send reminders to those still using Basic Authentication, much like a friendly nudge to change your locks before the deadline.
For those who cannot switch to OAuth, Microsoft offers alternatives, such as using Microsoft 365 High Volume Email or Azure Communication Services Email. These are like having a security service that provides additional protection for your valuables.
While this change may require some adjustments, it is an important step to ensure the security of your email communications, much like upgrading to a more secure lock to protect your home.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
Date | Property | old | new |
2024-10-19 | MC Messages | Today, we are announcing that Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email.
Basic auth is a legacy authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing, and brute force attacks. To improve the protection of our customers and their data, we are retiring Basic auth from Client Submission (SMTP AUTH) and encouraging customers to use modern authentication methods that are more secure. [When this will happen:] We will be making this change in September 2025. | Updated October 18, 2024: We have updated the SMTP AUTH Clients Submission Report in the Exchange admin center, adding the Authentication Protocol column to show if Basic auth or OAuth is being used to submit email to Exchange Online. The data will build up over the next 90 days. Thank you for your patience.
Today, we are announcing that Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email. Basic auth is a legacy authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing, and brute force attacks. To improve the protection of our customers and their data, we are retiring Basic auth from Client Submission (SMTP AUTH) and encouraging customers to use modern authentication methods that are more secure. [When this will happen:] We will be making this change in September 2025. |
2024-10-19 | MC Title | Exchange Online to retire Basic Auth for Client Submission (SMTP AUTH) | (Updated) Exchange Online to retire Basic Auth for Client Submission (SMTP AUTH) |
2024-10-19 | MC Last Updated | 04/26/2024 02:17:12 | 2024-10-18T18:26:45Z |
2024-10-19 | MC MessageTagNames | User impact, Admin impact, Retirement | Updated message, User impact, Admin impact, Retirement |
2024-10-19 | MC Summary | Exchange Online will retire Basic Auth for Client Submission (SMTP AUTH) in September 2025. Users must switch to OAuth or other alternatives before this date, as applications using Basic Auth will no longer be supported. Steps to prepare and alternative options are provided. | Exchange Online will retire Basic Auth for SMTP AUTH in September 2025. Users must switch to OAuth or other alternatives. The SMTP AUTH Clients Submission Report in the Exchange admin center will indicate the authentication method used. This change aims to enhance security against vulnerabilities associated with Basic Auth. |
Last updated 2 months ago