What companies should know now
Microsoft drives the Switching off outdated authentication procedures further progress. An important milestone here is the end of SMTP Basic Authentication in Exchange Online, which will be reached by April 2026 at the latest. Companies that still rely on traditional SMTP authentication with user name and password must act in good time to avoid disruptions in email delivery. This article provides an overview of the background, affected scenarios and possible alternatives.
About the author
Nico Gau
IT specialist for system integration
About the author
Nico Gau
IT specialist for system integration
What companies should know now
Microsoft drives the deactivation of outdated authentication procedures further progress. An important milestone here is thehe end of SMTP Basic Authentication in Exchange Online, which will be reached by April 2026 at the latest. Companies that still rely on traditional SMTP authentication with user name and password must act in good time to avoid disruptions in email delivery. This article provides an overview of the background, affected scenarios and possible alternatives.
Why is SMTP Basic Auth switched off?
SMTP Basic Auth is considered an insecure legacy procedure, because the user name and password are stored permanently and neither token nor certificate mechanisms are used. This significantly increases the risk of attacks such as credential stuffing and password theft. Microsoft is therefore consistently moving away from this approach and instead favours Modern authentication methods such as OAuth, API-based services and certificate-based relays to sustainably increase the security of Microsoft 365 clients.
Why is SMTP Basic Auth switched off?
SMTP Basic Auth is considered an insecure legacy procedure, because the user name and password are stored permanently and neither token nor certificate mechanisms are used. This significantly increases the risk of attacks such as credential stuffing and password theft. Microsoft is therefore consistently moving away from this approach and instead favours Modern authentication methods such as OAuth, API-based services and certificate-based relays to sustainably increase the security of Microsoft 365 clients.
Which systems are typically affected?
Many of these systems run inconspicuously in the background until the mail dispatch suddenly stops working. In practice, the shutdown mainly affects:
Multifunction printer & scanner
ERP and merchandise management systems
Monitoring & alerting tools
Legacy applications and scripts
Third-party applications without OAuth support
What alternatives are there?
Microsoft recommends several ways to implement secure and supported e-mail delivery in the future. Which solution is suitable depends heavily on the intended use.
1. high volume email (HVE) in Exchange Online
Suitable for:
Internal mail dispatch within your own Microsoft 365 organisation (e.g. system messages, internal notifications).
Technical background:
HVE uses modern authentication mechanisms and is specially designed for automated, high-volume dispatch within the tenant.
Cost image:
Included in many Microsoft 365 plans.
No additional infrastructure costs.
Restrictions on external dispatch.
Assessment:
Inexpensive and uncomplicated, but functionally limited.
2 Azure Communication Services - Email
Suitable for:
Applications, cloud workloads and external notifications with a high degree of automation.
Technical background:
API-based e-mail dispatch via Azure, independent of classic Exchange mailboxes. High scalability and modern security mechanisms.
Cost image:
Usage-based billing (per e-mail sent).
Additional Azure resources required.
No classic SMTP access for legacy devices.
Assessment:
Very flexible and future-proof, but more for modern applications than for classic devices.
3. SMTP relay via local Exchange SE server
Suitable for:
Legacy devices and applications that do not support OAuth or API integration.
Technical background:
A local Exchange server acts as a relay and handles secure sending to Exchange Online - without Basic Auth in the cloud.
Cost image:
Operation and maintenance of a local server.
Infrastructure and administration costs.
No usage-dependent costs per e-mail.
Assessment:
Proven solution for existing environments, but with ongoing operating costs.
Which solution is the right one?
There is no universal solution. It makes sense in many environments, combine several approaches, for internal emails, a relay for scanners and Azure Communication Services for applications. An important basis for this decision is transparency: in the Exchange Admin Centre can be used to track whether and which applications or devices are still using SMTP Basic Auth.
Which solution is ultimately suitable depends largely on the type of application or device, the internal or external mail destination, the security requirements and the respective cost and operating model.
Conclusion: Act now, avoid pressure later
Even if April 2026 still seems a long way off, experience shows that legacy systems and external third-party providers in particular should be analysed at an early stage. A structured analysis creates planning security and prevents unexpected failures during productive operation.
Our tip: Start evaluating your SMTP dependencies now. We will be happy to support you with analyses, architecture decisions and implementation.