Overview
Microsoft has announced that Basic Authentication for SMTP Auth will be permanently retired in Exchange Online by September 2025. After this date, any application, device, or service that relies on Basic Authentication to send email via SMTP Auth will stop working.
This change is part of Microsoft’s long-term security initiative to eliminate legacy authentication methods that are vulnerable to attacks. Basic Authentication sends usernames and passwords with every request, making it a common target for credential theft and phishing attacks. By transitioning to Modern Authentication (OAuth), email-sending applications will benefit from stronger security, better compliance, and enhanced identity protection.
Why This is Important
Basic Authentication has been a major security risk for years, and its retirement is a step forward in protecting Dartmouth’s email ecosystem from unauthorized access, phishing, and credential-based attacks. OAuth, which replaces Basic Authentication, leverages multi-factor authentication (MFA), conditional access policies, and token-based authentication, ensuring a more secure and resilient infrastructure.
While Microsoft had already retired most Basic Authentication protocols in Exchange Online during the Modern Auth project in 2022, SMTP Auth remained enabled because Microsoft was not ready to disable it at that time. However, Microsoft has now set a definitive retirement date, meaning all applications and devices using SMTP Auth with Basic Authentication must transition to a modern authentication method before September 2025.
Who is Affected?
This change impacts any application, service, or device that currently sends email via SMTP Auth using Basic Authentication. Examples include:
- Printers and multifunction devices configured to send scanned documents via email.
- Applications that generate and send system notifications or alerts.
- Services that automatically distribute reports or scheduled messages via email.
- Users who have been granted permission to use legacy email clients that rely on Basic Authentication.
Important Note for Legacy Email Clients: Some users were previously granted permission to continue using legacy email clients that require Basic Authentication. Moving forward, this functionality will no longer be supported after September 2025, as Basic Authentication will be permanently disabled.
Next Steps
- Identify impacted systems: Review all devices, applications, and email clients that send email through SMTP Auth.
- Transition to OAuth: Work with IT support or application vendors to update configurations to use Modern Authentication.
- Plan ahead: Microsoft will notify organizations still using Basic Authentication in early 2025, but we recommend addressing this now to avoid last-minute disruptions.
Guidance for Application Administrators
Administrators supporting institutional systems and services should take proactive steps to assess and transition any affected applications. Detailed guidance on securing email-sending applications and transitioning away from Basic Authentication can be found in the following knowledge base article:
Email Authentication and Modernization – Application Administrator Guidance
Benefits of This Change
Although this may require some adjustments, the retirement of Basic Authentication is ultimately a positive step for Dartmouth. The transition to Modern Authentication will:
- Enhance Security: OAuth eliminates the risk of stolen credentials being reused in password attacks.
- Improve Compliance: Many security frameworks and policies now require the use of Modern Authentication.
- Reduce Attack Surface: Disabling Basic Authentication significantly lowers the likelihood of phishing-based credential theft.
Additional Information
For more details, refer to Microsoft’s official announcement. If you need assistance transitioning your applications or devices, please contact help@dartmouth.edu.