The end of Microsoft Basic Authentication

To ensure that the transition does not take place without adequate preparation, Microsoft is already providing administrators with tools to identify affected systems. An updated report for SMTP AUTH Client Submission has been available in the Exchange Admin Centre since October 2024. This report shows which devices and applications are still using Basic Authentication. For administrators, this serves as a starting point for gaining visibility and compiling a complete list of all affected systems.

Microsoft has since adjusted the originally communicated shutdown date. Until the end of December 2026, the behaviour of SMTP AUTH Basic Authentication will remain unchanged for existing Exchange Online tenants. Systems that currently still send emails via Microsoft 365 using Basic Authentication will therefore continue to function for the time being. However, this additional time should not be seen as a green light, but rather as an opportunity to thoroughly identify affected applications, multifunction devices, scanners or scripts and to plan suitable alternatives.

At the end of December 2026, SMTP AUTH Basic Authentication will be disabled by default for existing tenants. Administrators can re-enable the feature for the time being if necessary. For tenants created after December 2026, Basic Authentication will no longer be available by default; OAuth will then be the supported authentication method. In the second half of 2027, Microsoft intends to announce the final date for the complete removal of SMTP AUTH Basic Authentication.

In theory, switching to OAuth 2.0 is easy. In practice, however, it often fails due to the existing infrastructure in the background. While laptops and smartphones have long been modernised, printers, scanners, older ERP systems and scripts continue to stubbornly communicate using usernames and passwords.

Typical examples include a scanner that sends delivery notes to a central mailbox address, an ERP system that automatically sends order confirmations by email, or a monitoring tool that sends alerts to the on-call service in the event of malfunctions. For many of these devices, there are no longer any current firmware updates available. A complete hardware or system replacement would be technically possible, but often disproportionate in economic terms.

That is why a systematic analysis of existing connections is the most important first step. If you know early on where basic authentication is still in use, you can carry out the changeover in a planned, risk-aware manner and without time pressure.

Companies should proceed in a structured manner:

1. Conduct an inventory
   The SMTP AUTH Client Submission Report in the Exchange Admin Centre helps to identify all systems that still use basic authentication – including rarely used locations and special solutions.
    
2. Categorise systems
   Which ones can be converted to OAuth 2.0 via update or configuration? Which ones are obsolete and need to be replaced in the medium term? And for which systems is replacement desirable but not realistic in the short term?
    
3. Create a migration plan
   On this basis, a migration plan can be created that prioritises business-critical systems and allows sufficient time for testing. For modern systems, only a configuration adjustment is often necessary; Microsoft provides extensive documentation for OAuth implementation. For older systems, it is worth checking for available firmware updates or consulting the manufacturer.

Migration paths: from OAuth to SMTP relay

The strategy should be two-pronged.

1. Modernisation (priority 1)
   Wherever possible, systems should be converted directly to OAuth 2.0 – whether through software updates, firmware updates or configuration adjustments. Many current applications and services already support modern authentication. After the switch, access is more secure, traceably logged and can be integrated into existing security policies.
    
2. Bridge technology (priority 2)
   In practice, however, it is clear that not every system is ‘OAuth-enabled’. Systems that cannot be modernised require an intermediary. Older multifunction printers, industry solutions or individually developed applications often do not support OAuth 2.0 and no longer receive updates, but are still indispensable in operation. In these cases, an SMTP relay service is a good option, acting as a bridge between legacy systems and the modern email infrastructure. The older systems connect to the relay, which handles secure communication with Exchange Online and meets the requirements of Microsoft 365.

Risks of not switching over

It is tempting to put off dealing with this issue. However, those who delay the transition risk automated email delivery failures: invoices will remain stuck in the ERP, scan-to-mail functions will fail, and alerts from monitoring systems will no longer reach anyone. Individual disruptions can quickly become a business risk – with consequences for efficiency, customer satisfaction and, in some circumstances, compliance. This means that the changeover is not just a technical detail, but a business-critical project.

As a bridging technology, MTF offers an SMTP mail relay service from the MTF Business Cloud. The service is specially designed for scenarios in which systems that do not support modern authentication must continue to operate but still need to send emails reliably.

The relay service runs in our highly available Swiss cloud environment, is optimised for sending from applications and devices, and can be integrated into existing security and compliance requirements in a controlled manner. Companies retain control over senders, routing and policies, while the technical complexity of connecting to Exchange Online is reduced.

The advantages of this solution are obvious:

• Continued operation of existing devices without hardware replacement.
• Swiss data storage in our highly available MTF Business Cloud.
• Decoupling from legacy systems without compromising cloud security.

1. Does the discontinuation of Basic Authentication only affect SMTP or other protocols in Exchange Online as well?
   The change that has now been announced specifically refers to Basic Authentication for SMTP AUTH client submission. Many other protocols such as POP, IMAP and Exchange ActiveSync have already been converted to modern authentication in previous waves. However, for companies that use SMTP for automated emails, this latest change is often the most noticeable – especially for printers, scanners, ERP systems and scripts.
    
2. How can I find out which systems in my environment still use basic authentication for SMTP?
   The most important starting point is the SMTP AUTH Client Submission Report in the Exchange Admin Centre. It shows which devices and applications still log in with Basic Authentication. It is also worth taking inventory of the infrastructure: Where are automated emails sent (scan-to-mail, ERP, monitoring, industry solutions)? This often reveals systems that have been running unchanged for years and are no longer a priority.
    
3. Do all systems have to be converted to OAuth 2.0?
   From a security perspective, OAuth 2.0 is the target state. Wherever updates, new versions or configuration adjustments are available, the direct switch should be made. In practice, however, there are devices and applications that do not support OAuth 2.0 and no longer receive updates. These systems can continue to be operated via bridge technologies such as an SMTP relay service without compromising the security requirements of Exchange Online.
    
4. What exactly will happen if I do not take any action by April 2026?
   For the time being, nothing will change for existing Exchange Online tenants until the end of December 2026. After that, SMTP AUTH Basic Authentication will be disabled by default. While administrators can re-enable the feature for now, Microsoft has already announced that it will be removed entirely at a later date. Systems that continue to use Basic Authentication will no longer be able to send emails after deactivation. This typically affects invoice delivery, status notifications, alerts, or scan-to-mail functions. Individual technical issues can thus quickly escalate into a business risk.
    
5. Is an SMTP relay service such as the MTF SMTP Mail Relay only a temporary solution or does it also make sense in the long term?
   That depends on the company's strategy. For some customers, the relay service is a temporary solution to gain time for gradual modernisation. Others deliberately use the service in the long term to cleanly decouple legacy systems from Microsoft 365, enforce central security policies and handle email delivery from applications via a controlled, highly available service in Switzerland.
    
6. Where should I start planning – and how can MTF support me in this?
   The first step is always transparency: Which systems send emails and how? Based on this, the next step is to categorise (modernisable, replaceable, dependent on relay) and prioritise business-critical applications. MTF supports you in this process by analysing your Exchange Online environment, assessing the risks and creating a migration plan – including the implementation of OAuth 2.0 where possible and the integration of the MTF SMTP Mail Relay Service where bridge technology is required.