Exchange Online: Microsoft updates timeline for SMTP Auth Basic end

For Exchange Online, Microsoft has already deactivated the insecure and vulnerable login using Basic Authentication for various protocols. However, the company has not touched SMTP AUTH. This is set to change – and now Microsoft is pushing the plans further back.

So far, Microsoft has disabled simple username-password login for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell. In April 2024, Microsoft then announced plans to also phase out SMTP AUTH Basic, originally starting in March 2026. On Tuesday this week, Microsoft released a new timeline for the end of SMTP AUTH Basic.

SMTP AUTH Basic: New Timeline for Deactivation

In the blog post, Microsoft writes that the SMTP AUTH Basic authentication behavior will remain unchanged until December 2026. At the end of December 2026, Microsoft will deactivate SMTP AUTH Basic Authentication by default for all existing tenants – however, admins will still have the option to re-enable it if needed.

New tenants created after December 2026 will no longer have SMTP AUTH Basic available by default. OAuth will be used here as the supported authentication method. In the second half of 2027, Microsoft plans to announce the final date for the removal of SMTP AUTH Basic.

With the updated roadmap, Microsoft aims to give customers more time for planning, reviewing, and deploying modern authentication alternatives. However, the company continues to move towards stronger security standards.

It seems to be a recurring pattern that Microsoft announces the implementation of new security measures but then has to postpone them again and again. Microsoft even cancels some planned protective measures entirely, such as restrictions at the beginning of the month that were intended to protect against spam – these will now not be implemented.

(dmk)