Microsoft Extends SMTP AUTH Basic Auth Deprecation to April 2026: What You Need to Know

Microsoft has announced a significant update regarding the deprecation of Basic Authentication (Basic Auth) for Exchange Online's Client Submission (SMTP AUTH). Originally slated for permanent removal in September 2025, the timeline has been extended to begin on March 1, 2026, with complete deactivation by April 30, 2026. This extension aims to provide organizations additional time to transition to more secure authentication methods.
Background on Basic Authentication Deprecation
Basic Authentication, a legacy protocol, transmits usernames and passwords in plain text, making it susceptible to various security threats, including credential theft and brute force attacks. To enhance security, Microsoft has been systematically phasing out Basic Auth across its services. The deprecation process for Exchange Online began in 2019, with most protocols transitioning to Modern Authentication (OAuth 2.0) by late 2022. However, SMTP AUTH was granted an extended timeline due to its widespread use in applications and devices for sending emails.
Updated Timeline for SMTP AUTH Basic Auth Deprecation
As per the latest communication from Microsoft, the revised schedule is as follows:

• March 1, 2026: Initiation of the phased deactivation of Basic Auth for SMTP AUTH.
• April 30, 2026: Completion of the deactivation process; Basic Auth will be fully disabled for SMTP AUTH.

During this period, Microsoft will implement a gradual approach, initially blocking a subset of Basic Auth attempts and progressively increasing the scope until full deactivation is achieved.
Implications for Organizations
Organizations utilizing Basic Auth for SMTP AUTH must prepare for this change to avoid disruptions in email services. Microsoft recommends the following actions:

• Transition to OAuth: If your applications or devices support OAuth, configure them to use this more secure authentication method.
• Explore Alternative Solutions: For clients that do not support OAuth, consider the following alternatives:
• Microsoft 365 High Volume Email: Suitable for sending emails to recipients within your organization.
• Azure Communication Services Email: Designed for sending emails to both internal and external recipients.
• Exchange Server On-Premises: Organizations with a hybrid setup can configure their on-premises Exchange Server to allow anonymous relay or continue using Basic Auth within their on-premises environment.

It's crucial to assess your current email-sending configurations and make the necessary adjustments before the deactivation dates to ensure uninterrupted service.
Conclusion
Microsoft's decision to extend the deprecation timeline for Basic Auth in SMTP AUTH reflects its commitment to balancing security enhancements with customer readiness. Organizations are encouraged to utilize this additional time to transition to more secure authentication methods, thereby safeguarding their email communications against evolving cyber threats.

---

Source: Neowin Microsoft has an update on Exchange Online Basic Auth removal for Office 365