Exchange Online will retire Basic Auth for Client Submission (SMTP AUTH) in September 2025. Users must switch to OAuth or other alternatives before this date, as applications using Basic Auth will no longer be supported. Steps to prepare and alternative options are provided.
MC786329 – Today, Microsoft is announcing that Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email.
Basic auth is a legacy authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing, and brute force attacks. To improve the protection of our customers and their data, Microsoft is retiring Basic auth from Client Submission (SMTP AUTH) and encouraging customers to use modern authentication methods that are more secure.
When this will happen:
Microsoft will be making this change in September 2025.
How this will affect your organization:
In September 2024, Microsoft will update the SMTP AUTH Clients Submission Report in the Exchange admin center to show if Basic auth or OAuth is being used to submit email to Exchange Online. In January 2025, Microsoft will send a Message Center post to tenants who are using Basic auth with Client Submission (SMTP AUTH) to alert them to the upcoming change. In August 2025, about 30 days before Microsoft disables Basic auth it will send another Message Center post to tenants who are still using Basic auth with Client Submission (SMTP AUTH).
During September 2025, Microsoft will remove support for Basic auth with the Client Submission (SMTP AUTH) endpoints:
Once Basic auth is permanently disabled, any clients or apps connecting using Basic auth with Client Submission (SMTP AUTH) will receive this response:
What you need to do to prepare:
If your client supports OAuth, follow these steps: Authenticate an IMAP, POP or SMTP connection using OAuth
If your client doesn’t support OAuth and you must use Basic Auth with Client Submission (SMTP AUTH), you will need to switch to one of the following alternatives before September 2025:
Regardless of the volume of email, if you must use Basic auth to send email with Exchange Online, then you must use one of the alternatives.
Microsoft understands that this change requires some adjustments, but it believes that this is a necessary step to enhance the security and reliability of our email service and your data.
Previous Exchange Online Changelog Messages
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.