Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

Microsoft 365 basic authentication for SMTP being switched off from late December 2026

Microsoft is switching off SMTP basic authentication in December 2026. Here is what breaks and how to fix it before then.

Microsoft is turning off one of the last pieces of old-fashioned password sign-in left in Microsoft 365, and it will quietly break things that most businesses forgot were running: the printer that scans documents to email, the accounting package that sends invoices, the booking system that fires off confirmations, and the alarm panel that emails an alert at 2am. From late December 2026, SMTP AUTH basic authentication is switched off by default for every existing Microsoft 365 tenant. If a device or application still signs in to Exchange Online with a plain username and password to send mail, it stops sending on that date unless someone has already moved it across or re-enabled the setting.

This is not a price rise or a feature you can ignore. It is a hard technical change with a fixed date, and the work to fix it sits with whoever manages your IT. The good news is that the fix is well understood and there is still time to do it calmly rather than in a panic on the first business day of 2027. This paper explains what is changing, what it breaks in a typical Australian office, how to find out whether you are exposed, and the practical options ranked from best to last resort.

Executive Summary

On 27 January 2026 the Microsoft Exchange team confirmed the final timeline for retiring basic authentication on SMTP client submission. From the end of December 2026, SMTP AUTH basic authentication is disabled by default for existing Microsoft 365 tenants. Administrators can still re-enable it manually for specific mailboxes if they must, and any tenant created after December 2026 will not have basic authentication available at all. Microsoft has said it will announce the permanent removal date in the second half of 2027.

When basic authentication is switched off, an affected device or app trying to send mail receives the error "550 5.7.30 Basic authentication is not supported for Client Submission" and the message simply does not go out. In our experience the most common thing to break in a small or mid-sized Australian office is the multifunction printer's scan-to-email feature, followed by line-of-business software that emails invoices, statements, quotes and booking confirmations. Modern Outlook, Teams and the Microsoft 365 apps your staff use every day are not affected, because they already use modern authentication.

Every business on Microsoft 365 should do three things before the end of 2026: run the SMTP AUTH clients report in the Exchange admin centre to see what is still using basic authentication, list every printer, scanner, app and script that sends email through Microsoft 365, and move each one to a supported method. Leaving it until December means competing for your IT provider's time with every other business that also left it late.

What Microsoft Is Actually Changing

To understand the change you need one piece of background. When a device or program sends email through Microsoft 365, it connects to the server smtp.office365.com and signs in. For years that sign-in could be done the old way, with a username and password sent straight across the connection. Microsoft calls this "SMTP AUTH basic authentication" or "SMTP client submission". It is the same style of sign-in that Microsoft has already removed everywhere else in Microsoft 365, because a username and password with no second factor is exactly what attackers harvest and replay.

SMTP client submission has been the last holdout. Microsoft first announced its retirement in 2024, then pushed the date out twice after customers said they needed more time to move legacy equipment. The updated timeline the Exchange team published on 27 January 2026 is now the one to plan around. It sets out four milestones:

  • Now to December 2026: nothing changes. Basic authentication for SMTP keeps working exactly as it does today.
  • End of December 2026: SMTP AUTH basic authentication is disabled by default for existing tenants. An administrator can still switch it back on for specific mailboxes if there is no alternative, but the default flips to off.
  • New tenants created after December 2026: basic authentication is not available at all. OAuth is the only supported method.
  • Second half of 2027: Microsoft will announce the final, permanent removal date, after which the re-enable option disappears for everyone.
Read that middle point carefully. The switch-off is applied to your tenant whether or not anyone has looked at it. You do not opt in to the change; you have to actively opt out, mailbox by mailbox, and even then only as a short-term stay of execution before the 2027 removal.

One related change is worth putting on the same radar. Microsoft is also retiring Exchange Web Services (EWS) for non-Microsoft apps connecting to Exchange Online, with blocking starting from 1 October 2026. EWS is a different protocol, used by some older document management, CRM and mail-archiving tools rather than by printers. But if you are auditing what talks to Microsoft 365 anyway, it is efficient to check both at once.


What Will Break in a Typical Australian Office

The reason this change lands harder than it should is that the things using basic authentication are usually the things nobody thinks about. They were set up once, years ago, by whoever installed the equipment, and they have worked ever since. Here is what we find, over and over, when we audit Microsoft 365 tenants for clients across the Northern Beaches and Brookvale, greater Sydney, the Central West around Orange, Bathurst and Dubbo, Brisbane and Melbourne.

The single most common culprit is not a sophisticated system at all. It is the office multifunction printer. Nearly every Konica Minolta, Ricoh, Canon, Xerox, Brother and HP device with a "scan to email" button was configured to log in to a Microsoft 365 mailbox with a username and password and relay the scan out as an attachment. When basic authentication switches off, staff press the scan button, the job appears to send, and the email never arrives. There is rarely an obvious error at the panel, which is exactly why these failures get reported as "the scanner is broken" a week later rather than caught on day one.

After printers, the next tier is line-of-business software that sends mail on your behalf. In professional services that means practice and matter management systems emailing invoices and statements; accounting and bookkeeping platforms sending remittances; and CRM or proposal tools sending quotes. In hospitality it is the booking and reservation systems, point-of-sale platforms and function-enquiry forms that email confirmations to guests. In not-for-profits it is donation and membership platforms sending receipts and tax statements. Many of these were pointed at Microsoft 365 with a shared mailbox and a password because it was the quickest way to get email working at go-live.

Then there is the long tail: server monitoring and backup software that emails nightly reports, alarm and CCTV systems that email alerts, UPS units, door-access controllers, and one-off PowerShell or Python scripts a former staff member wrote to email a spreadsheet each morning. Individually they are trivial. Collectively they are the reason a "quick" cutover turns into a fortnight of chasing down forgotten devices.

The majority of Microsoft 365 environments we review still have at least one device or application authenticating with a plain password, and the business owner has no idea it is there until we show them the report.

What is not affected is worth stating plainly. Your staff sending and receiving email in new Outlook, the Outlook mobile app, Outlook on the web, and Teams are all unaffected, because those clients already use modern authentication. This change is specifically about machines and apps that send mail using an old-style password sign-in, not about people reading their inbox.


How to Check Whether You Are Affected

You do not have to guess. Microsoft added a report to the new Exchange admin centre for exactly this moment. It is called the SMTP AUTH clients report, and it lists the mailboxes and source IP addresses that have used SMTP client submission, with an authentication-protocol column that tells you whether each one signed in with basic authentication or OAuth. An administrator finds it under Reports, then Mail flow, in the Exchange admin centre.

The authentication-protocol column takes up to 90 days to build a full picture, because it reports on observed traffic over time. That is the strongest practical argument for starting now rather than in the fourth quarter. If you turn the report on today, you will have three months of clean data well before the December switch-off.

Alongside the report, the low-tech step is just as valuable: walk the office and the server room and write down everything that sends email. Every printer and scanner. Every business application that emails a customer or a colleague. Every alarm, monitoring tool and backup job. For each one, note what mailbox or address it sends from and, if you can find it, how it was configured. That inventory, cross-checked against the report, is your project plan. In our experience the walk-around finds devices the report has not seen recently because they only fire occasionally, such as a quarterly statement run or a rarely triggered alarm.


Your Options, Ranked from Best to Last Resort

Once you know what is using basic authentication, each item needs to move to a supported method. There is no single answer, because a ten-year-old photocopier and a modern accounting platform have very different capabilities. These are the realistic options, roughly best to worst.

1. Modern authentication (OAuth) on the device or app

The cleanest fix is to reconfigure the device or application to sign in with OAuth, the same modern, token-based method everything else in Microsoft 365 already uses. Newer printers and current versions of most business software support it, sometimes labelled "OAuth", "modern authentication" or "sign in with Microsoft". Where it is available, this is the option to choose, because it survives the 2027 permanent removal and does not need revisiting. The catch is that plenty of older hardware and some older software simply cannot do it, and no firmware update will add it.

2. A direct-send connector using your static IP

For devices that only ever email people inside your own organisation, such as a printer scanning to staff, you can use "direct send" through a Microsoft 365 connector that trusts your office's fixed public IP address instead of a password. There is no username and password involved, so the switch-off does not touch it. This works well but has two requirements worth checking: your internet connection needs a static public IP address, and you must set your SPF record correctly so the mail is not treated as spam. It is a solid, no-licence-cost path for internal-only scanning.

3. High Volume Email or Azure Communication Services

Microsoft offers High Volume Email (HVE) for Microsoft 365 and, for developers, Azure Communication Services for Email, both designed for exactly this kind of automated, app-generated mail rather than human mailboxes. These are the right home for higher-volume senders and for applications that need to email external recipients reliably. They involve a little setup and, depending on volume, some cost, but they take app-generated mail off the mailbox path entirely, which is where it should have been all along.

4. A third-party SMTP relay service

Dedicated email-relay services (SMTP2GO, Mailgun, SendGrid, Postmark and similar) exist precisely to sit between awkward legacy devices and modern email delivery. You point the printer or app at the relay, and the relay handles secure delivery and reputation. This is a common, pragmatic choice for a business with a mix of old equipment, and it often improves deliverability as a bonus. It is an extra supplier and a small monthly cost, so weigh it against simply replacing the offending device.

5. Manually re-enabling basic authentication (short-term bridge only)

An administrator can re-enable SMTP basic authentication for a specific mailbox after the December switch-off as a bridge for a genuinely stuck device. Treat this strictly as a temporary measure, not a destination. It reopens the exact weakness Microsoft is closing, it should be locked down hard with conditional access and tight scoping if you use it at all, and it disappears entirely when Microsoft removes the feature in 2027. If your plan is to just turn it back on, you do not have a plan. You have a reminder to do this properly next year under more time pressure.

6. Replace the device

Sometimes the honest answer for a very old printer or appliance is that it has reached the end of its useful life and the cheapest total fix is to replace it with a current model that speaks modern authentication out of the box. If a device is already out of support and struggling, this deadline is a reasonable prompt to retire it rather than build workarounds around it.


Your Action Plan and Timeline

The whole job is small if you start early and methodical if you follow a sequence. Here is the plan we use with clients, mapped to sensible dates ahead of the end-of-December 2026 switch-off.

When Action Who
Now (July–August 2026) Turn on the SMTP AUTH clients report in the Exchange admin centre so 90 days of data starts building. Do a physical walk-around inventory of every device, app and script that sends email. IT provider / internal IT
September 2026 Review the report against the inventory. For each item, record the sending mailbox, the current method, and whether the device or app can support OAuth. IT provider
September–October 2026 Choose the target method for each item (OAuth, direct-send connector, High Volume Email, relay, or replace). Get quotes for any relays or replacement hardware. IT provider + owner/manager
October–November 2026 Reconfigure and test each device and app on its new method. Confirm mail actually arrives, including to external recipients where relevant. IT provider
Late November 2026 Re-run the report. Confirm nothing is still using basic authentication. Resolve any stragglers found in the walk-around but not in the data. IT provider
December 2026 Verify clean cutover ahead of the default switch-off. Keep the re-enable option in reserve only for a documented, locked-down exception. IT provider
If you do nothing else after reading this, turn on the SMTP AUTH clients report today. It costs nothing, takes minutes, and the 90-day data window is the one part of this project you cannot buy back later.

What This Costs and Who Should Own It

For most small and mid-sized businesses the direct cost is modest. Reconfiguring a printer to OAuth or a direct-send connector is a labour task, not a purchase. The costs that do appear are a possible small monthly fee if you choose a relay service, a possible High Volume Email cost for higher-volume senders, and occasionally the replacement of a device that is genuinely too old to move forward.

The larger cost is the one that only shows up if you leave it: the lost hours when scan-to-email stops, invoices silently fail to send, or booking confirmations stop reaching guests, plus the premium you pay for emergency IT work in the first week of January when everyone else is calling too.

Ownership matters here. This is not a task an individual staff member can quietly handle on the side, because it needs Exchange administrator access, an understanding of connectors and SPF records, and testing that mail genuinely delivers. It belongs with your managed IT provider or internal IT team, working from an inventory the business helps build. The owner or office manager's job is to make sure someone is actually assigned to it with a date. The most expensive version of this project is the one where everyone assumed someone else was handling it.


Why Attackers Love Basic Auth

It is worth understanding why Microsoft is doing this, because it reframes the work from a chore into a genuine security improvement. Basic authentication sends a username and password with no second factor. That is precisely the credential an attacker wants, and password-based sign-in endpoints are hammered constantly. Earlier this year we wrote about a campaign that threw 81 million break-in attempts at Microsoft 365 accounts, and legacy authentication protocols are a favourite target precisely because they can sidestep multi-factor authentication. Every mailbox left on basic authentication is a mailbox where a leaked or guessed password can send mail as your business, with no MFA prompt to stop it.

Removing basic authentication is one of the highest-value hardening steps a small business can take, and it maps directly to the "restrict administrative privileges" and "multi-factor authentication" controls in the ASD Essential Eight. If you are already looking at your Microsoft 365 tenant for this deadline, it is the natural moment to check the rest of your baseline: MFA on every account, no leftover shared mailboxes with interactive sign-in, and conditional access policies that block legacy protocols outright.


Frequently Asked Questions

From the end of December 2026, SMTP AUTH basic authentication is disabled by default for existing Microsoft 365 tenants. Administrators can still re-enable it manually for a specific mailbox as a short-term measure, but any tenant created after December 2026 will not have it available at all, and Microsoft will announce a permanent removal date in the second half of 2027.
No. New Outlook, the Outlook mobile app, Outlook on the web and Teams all use modern authentication already, so day-to-day email for your people is not affected. This change only affects devices and applications that send mail using an old-style username and password sign-in, such as printers with scan-to-email or software that emails invoices.
An administrator can run the SMTP AUTH clients report in the Exchange admin centre, under Reports then Mail flow. It lists the mailboxes and source addresses still using SMTP client submission and whether each used basic authentication or OAuth. Because the data takes up to 90 days to build, it is best to turn the report on now and pair it with a physical walk-around of every device that sends email.
For a printer that only emails people inside your organisation, a direct-send connector using your static public IP address needs no password and is unaffected by the change. For wider needs you can use a third-party SMTP relay service or Microsoft High Volume Email. If the device is very old and out of support, replacing it with a current model that supports modern authentication is often the cheapest long-term fix.
Only as a temporary bridge for a genuinely stuck device, and only if it is locked down with conditional access and tight scoping. Re-enabling basic authentication reopens the exact weakness Microsoft is closing, and the option disappears entirely when Microsoft removes the feature in 2027, so it is a way to buy a few months, not a permanent solution.

Book a Microsoft 365 Basic Authentication Review

If you are not sure whether your printers, apps or scripts are still using basic authentication, the fastest way to find out is to have someone run the report and walk the list with you. Getting this done in the next few months means a planned, tested cutover instead of an outage in the new year.