Overview

SMTP AUTH (Authenticated SMTP) is a legacy protocol used by older applications, multifunction printers (MFPs), scanners, and devices to send email via SMTP using smtp.office365.com.
Because SMTP AUTH does not support modern authentication, it is disabled by default in secure Microsoft 365 tenants.

Admins should only enable SMTP AUTH for specific mailboxes or service accounts that truly need it.

⭐ Use Cases for SMTP AUTH

✔ 1. Legacy Applications

Older apps requiring SMTP to send alerts, logs, or notifications.

✔ 2. Multifunction Printers (Scanning to Email)

Some printers/scanners only support SMTP username/password.

✔ 3. Third-Party Systems

CRM systems, ERP apps, IVR systems, ticketing tools that use SMTP relay.

✔ 4. IoT / Security Devices

Firewalls, door controllers, CCTV systems that send logs or alerts via SMTP.

? When You SHOULD NOT Enable SMTP AUTH

❌ Modern Outlook clients

❌ Any user mailbox meant for human login

❌ Shared mailboxes (unless absolutely required)

❌ App supports OAuth (modern auth)

❌ Hybrid servers (use internal relay)

❌ For “just in case” — never enable tenant-wide

Because SMTP AUTH is often abused in account takeover attacks.

?️ Security Recommendations (Best Practices)

1. Keep SMTP AUTH disabled globally

2. Enable per-mailbox only when absolutely required

3. Use a dedicated service account

4. Use a long, complex password

5. Restrict account with Conditional Access (if supported)

6. Store credentials securely (Password Manager / Azure Key Vault)

7. Monitor sign-in logs for unusual activity

8. Disable SMTP AUTH as soon as app/device is upgraded

✔ How to Check and Configure SMTP AUTH

Step 1 — Open Exchange Admin Center

1. Go to https://admin.exchange.microsoft.com

2. Go to Settings → Mail Flow Settings

Step 2 — Check Tenant-Level SMTP AUTH Setting

In Mail Flow Settings, you will see:

• Authenticated SMTP

  • ❗ OFF (recommended for security)

  • ON (if older apps require it)

Microsoft recommends keeping tenant-wide SMTP AUTH disabled.

Step 3 — Enable SMTP AUTH for a Specific Mailbox

1. Go to Recipients → Mailboxes

2. Select the mailbox

3. Click Mail Flow Settings

4. Enable Authenticated SMTP

5. Save

⚠️ Only enable it for service accounts, not regular users.

Step 4 — Configure SMTP Client/App

Use the following SMTP settings:

• Server: smtp.office365.com

• Port: 587 (TLS)

• Auth: Username & Password

• Encryption: STARTTLS (required)

Step 5 — Test SMTP AUTH

Run PowerShell test script or use a tool like:

• SMTP Tester

• PowerShell Send-MailMessage (legacy)

• Application test email option

?️ Troubleshooting

❗ SMTP AUTH not working

• Ensure tenant-wide setting is not blocking

• Confirm mailbox-level SMTP AUTH is enabled

• Check MFA — SMTP AUTH does not support MFA

• Use an App Password (ONLY IF REQUIRED → not recommended)

• Ensure device supports TLS 1.2

• Check IP restrictions on firewalls

❗ Printer/Scanner errors

• Update firmware for TLS 1.2 support

• Use “SMTP client submission” NOT “Anonymous relay”

❗ Too many failed logins

• Reset password immediately

• Check Azure AD sign-in logs

• Disable SMTP AUTH if suspicious activity seen

? Recommended Alternatives (More Secure)

✔ 1. Modern Authentication (OAuth)

Supported by many modern apps.

✔ 2. Microsoft Graph API

Secure API for applications.

✔ 3. Exchange Online Relay (Unauthenticated SMTP Relay)

Used for internal servers in hybrid or trusted network ranges.

✔ 4. Direct Send

Printer → Exchange Online → Internal Recipients only.