The update responds to customer feedback on legacy email workflows. Tenants now have clearer milestones until full removal in 2027.
Originally faster, the new schedule gives more time for migration. Through December 2026, SMTP AUTH basic authentication works as before. No changes occur during this period.
At the end of December 2026, Microsoft disables it by default for existing tenants. Admins can still turn it on if needed. This acts as a soft enforcement step.
New tenants created after December 2026 cannot use SMTP AUTH basic by default. OAuth becomes the only supported option from day one.
In the second half of 2027, Microsoft announces the final removal date. After that, SMTP AUTH basic authentication vanishes completely from Exchange Online.
These steps provide runway for planning. The official announcement appears on the Exchange Tech Community blog.
SMTP AUTH basic authentication sends credentials in plain text or easily reversible Base64. Attackers intercept these via man-in-the-middle attacks. It lacks modern protections like token-based auth.
OAuth uses secure tokens that expire quickly. It supports multi-factor authentication (MFA) and reduces credential exposure. Microsoft views basic auth as a legacy risk in cloud environments.
Many apps, scanners, and devices rely on SMTP AUTH for sending emails via Exchange Online’s Client Submission port 587. Legacy systems struggle with OAuth upgrades.
Customer feedback highlighted migration challenges. Some tenants face issues with old hardware or third-party tools lacking OAuth support.
Existing tenants see no disruption until late 2026. But testing OAuth now prevents last-minute issues. New tenants must adopt OAuth immediately.
Affected workflows include:
Admins check usage via Microsoft 365 admin center. Reports show apps using basic auth. The “Sign-in logs” in Entra ID reveal SMTP AUTH activity.
Tenants should act early. Follow these steps:
Get-EXOMailbox or admin center reports to list SMTP-reliant apps.Microsoft offers tools like the OAuth Migration Guide in docs.microsoft.com. Test in a pilot tenant first.
This deprecation aligns with Microsoft’s Secure Future Initiative. It reduces attack surface amid rising credential theft campaigns. Basic auth featured in attacks like those exploiting unpatched Exchange servers.
OAuth integration with Conditional Access policies adds layers. Tenants enforce MFA, device compliance, and IP restrictions per app.
Industry trends mirror this. Google deprecated basic auth in Gmail years ago. AWS SES pushes API keys over SMTP basics.
Start inventory now. Prioritize high-volume SMTP apps. Train teams on OAuth setup. Monitor Microsoft 365 Roadmap for final 2027 dates.
Delay risks outages. Proactive migration ensures compliance and security. Exchange Online admins: check the blog for updates.
Microsoft balances security with usability. This timeline aids smooth transitions while ending weak auth reliance.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Exchange Online SMTP AUTH Deprecation Looms – Tenants Urged To Migrate Now appeared first on Cyber Security News.
LANSING, MI (WOWO) Governor Gretchen Whitmer has expanded Michigan’s state of emergency as severe weather…
LANSING, MI (WOWO) Advocates and lawmakers are urging Michigan Governor Gretchen Whitmer to grant clemency…
A proof-of-concept (PoC) exploit has been publicly released for a newly disclosed vulnerability in Microsoft’s…
INDIANAPOLIS, IND. (WOWO) State leaders in Indiana are supporting a major new investment aimed at…
The firing of Arthur T. Demoulas, the now-former Market Basket CEO popularly known as “Artie…
The firing of Arthur T. Demoulas, the now-former Market Basket CEO popularly known as “Artie…
This website uses cookies.