Microsoft Retiring Basic Authentication for SMTP Email Relay

Basic authentication for email

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

May 9, 2024

Microsoft recently announced a major change in the effort to protect their users’ data In Exchange Online from cyber threats. By September 2025, the increasingly outdated Basic auth method will have been phased out completely and replaced by the OAuth protocol when using Microsoft email relay functionality (SMTP AUTH).  This will only affect client applications that use Microsoft to send email using their servers. (For example, a website that relays email via a Microsoft 365 account.)

So, what does all this mean?  And what do you need to do to prepare?

A short glossary

Basic authentication, often referred to as Basic auth, is an outdated method of sending credentials (typically a username and password) across a network in plain text. This means the information is not encrypted and can be intercepted by unauthorized parties, making it vulnerable to cyber threats such as credential theft and brute force attacks.

Open Authorization, commonly known as OAuth, is an open-standard authorization protocol or framework that enables secure, token-based access between different applications. Instead of sharing unencrypted passwords, OAuth uses access tokens to authenticate a user or application’s identity and authorize them to access specific resources. These tokens are typically sent over HTTPS, ensuring that the data remains encrypted during transmission.  Due to its simplicity and security, OAuth is already widely used for web, mobile and IoT applications.

The retirement plan

According to Microsoft, the deprecation process of Basic auth includes updates to the SMTP AUTH Clients Submission Report, a series of Message Center alerts, and finally, the complete disabling of Basic auth.

Let’s look at how they expect this to land on the calendar over the next 16 months:

September 2024: The SMTP AUTH Clients Submission Report in the Exchange admin center will update to show Microsoft if Basic auth or OAuth is being used by a customer to submit email to Exchange Online.

January 2025: Microsoft will send a Message Center alert notification to all tenants currently utilizing Basic auth with Client Submission (SMTP AUTH).

August 2025: Microsoft will send another Message Center post to tenants who are still using Basic auth with Client Submission (SMTP AUTH) about 30 days before disabling it.

September 2025: Basic auth will be permanently disabled.

 

Guidelines for preparedness

To get ready for the retirement of Basic authentication for Client Submission (SMTP AUTH) in Exchange Online, you can follow these steps:

  1. Transition to OAuth: Upgrade your applications and devices to use OAuth for SMTP Auth to enhance security with encrypted token-based authentication.
  2. Check SMTP AUTH Clients Submission Report: Starting September 2024, monitor the report in the Exchange admin center to see if Basic auth or OAuth is being used.
  3. Respond to Message Center Alerts: Pay attention to alerts from Microsoft in January 2025 and August 2025 regarding the use of Basic auth.
  4. Explore Alternatives: If your client doesn’t support OAuth, consider alternatives like High Volume Email for Microsoft 365, Azure Communication Services Email, or Authenticate with Exchange Server On-Premises or 3rd party services like SendGrid.

Remember, Basic auth will be permanently disabled in September 2025 as SMTP AUTH was the last protocol to use it. So, it’s important to act promptly and ensure your systems are compatible with modern authentication methods!

 

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

You May Also Like…

Introducing Microsoft 365 Backup

Introducing Microsoft 365 Backup

Last fall at Ignite, Microsoft announced a new data storage and recovery solution, Microsoft 365 Backup. This new...

You May Also Like…

Introducing Microsoft 365 Backup

Introducing Microsoft 365 Backup

Last fall at Ignite, Microsoft announced a new data storage and recovery solution, Microsoft 365 Backup. This new...

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Translate »
Share This
Subscribe