The deadline for Exchange Online's SMTP AUTH basic authentication deprecation has been extended by Microsoft This article explores authentication enabled exchange. . By encouraging tenants to use more contemporary techniques like OAuth, this modification seeks to improve security.

Customer feedback on outdated email workflows is addressed in this update. Up until their complete removal in 2027, tenants now have more defined milestones. Revised Deprecation Schedule The new schedule, which was initially quicker, allows more time for migration. SMTP AUTH basic authentication will continue to function normally through December 2026.

During this time, nothing changes. Microsoft will automatically disable it for current tenants at the end of December 2026. If necessary, administrators can still activate it. This serves as a gentle enforcement measure.

By default, SMTP AUTH basic cannot be used by new tenants created after December 2026.

From the beginning, OAuth is the only option that is supported. Microsoft will release the final removal date in the second half of 2027. Following that, Exchange Online's SMTP AUTH basic authentication completely disappears.

These procedures give planning a head start. The Exchange Tech Community blog has the official announcement. Credentials are sent in plain text or easily reversible Base64 using SMTP AUTH basic authentication. Man-in-the-middle attacks are used by attackers to intercept these.

Token-based authentication and other contemporary safeguards are absent. OAuth uses fast-expiring secure tokens. It lessens credential exposure and facilitates multi-factor authentication (MFA). In cloud environments, Microsoft considers basic authentication to be a legacy risk.

SMTP AUTH is used by numerous applications, devices, and scanners to send emails via Exchange Online's Client Submission port 587.

OAuth upgrades are difficult for legacy systems. Migration difficulties were brought to light by customer feedback. Some tenants have problems with outdated hardware or third-party tools that don't support OAuth.

There won't be any disruptions for current tenants until late 2026. However, testing OAuth now avoids last-minute problems. OAuth must be adopted right away by new tenants. Workflows that are impacted include: email notifications from tools for monitoring.

custom scripts that send notifications via SMTP. Reports are sent by outdated multifunction printers or scanners. apps on-site that use Exchange Online to relay mail. Administrators use the Microsoft 365 admin center to monitor usage.

Reports display apps that use simple authentication. SMTP AUTH activity is visible in Entra ID's "Sign-in logs." Migration Procedures for a Safe Transition Tenants ought to take prompt action. Take these actions: Audit Usage: To enumerate SMTP-dependent applications, use PowerShell cmdlets such as Get-EXOMailbox or admin center reports.

Test OAuth: Update applications to make use of contemporary auth libraries. Microsoft offers Exchange Online OAuth endpoints. Enable Modern Auth: Make sure the tenant's "Modern authentication" is enabled in the Exchange admin center.

Planning for Backups: Be ready to temporarily re-enable basic authentication for end-2026 disablement if necessary. Use the Graph API to script this. Coordinating Vendors: For OAuth updates, get in touch with outside vendors. Oidc-client for JavaScript and MSAL for.NET are examples of common libraries.

Microsoft provides resources such as the OAuth Migration Guide, which can be found at docs.microsoft.com. Start with a pilot tenant. Microsoft's Secure Future Initiative is in line with this deprecation. In the face of growing credential theft campaigns, it lessens the attack surface.

Attacks such as those that take advantage of unpatched Exchange servers use basic authentication. Layers are added by integrating OAuth with Conditional Access policies.

MFA, device compliance, and app-specific IP restrictions are enforced by tenants. This is reflected in industry trends. Years ago, Google removed basic authentication from Gmail.

API keys are prioritized over SMTP fundamentals by AWS SES. Take inventory right now. Give high-volume SMTP apps priority. Teach teams how to set up OAuth.

Keep an eye on the Microsoft 365 Roadmap for the final dates in 2027. Outages are a risk of delay. Migration that is proactive guarantees security and compliance. Check the blog for updates, Exchange Online administrators.

Microsoft strikes a balance between usability and security. This timeline ends weak auth reliance while facilitating seamless transitions.