Enabling SmtpClientAuthentication (SMTP AUTH) in Exchange Online

Table of Contents

• Introduction
• What is SMTP AUTH?
• Chapter 1: Understanding the Risks
• Chapter 2: How to Enable SMTP AUTH

* Prerequisite: Check "Security Defaults"

* Method 1: Microsoft 365 Admin Center (Per-Mailbox)

* Method 2: Exchange Online PowerShell (Recommended for Admins)

• PowerShell Command Summary
• Conclusion & Modern Alternatives

Introduction

This document provides a comprehensive guide for administrators on how to enable SmtpClientAuthentication (commonly known as SMTP AUTH) in Microsoft Exchange Online. This setting is required for many multi-function devices (scanners, printers) and older applications to send email.

While necessary in some cases, enabling SMTP AUTH carries significant security risks. This guide details those risks and provides the recommended, secure methods for enabling it on a limited basis.

What is SMTP AUTH?

SMTP AUTH (Simple Mail Transfer Protocol Authentication) is a protocol extension that allows a client (like an application or device) to log in to a mail server to send email. It's the "client submission" part of email, using a username and password to prove its identity before it's allowed to relay mail.

Common use cases include:

• Multi-function printers (MFPs) scanning to email.
• Legacy line-of-business (LOB) applications.
• Website contact forms that send notifications.

By default, Microsoft disables SMTP AUTH in most modern tenants to enhance security.

Chapter 1: Understanding the Risks

Warning: Enable SMTP AUTH with Extreme Caution

Enabling SMTP AUTH, especially with Basic Authentication, is a significant security liability. Before enabling it, you must understand and accept the following risks.

1\. Vulnerability to Credential Theft

Most devices that use SMTP AUTH use \*\*Basic Authentication\*\*. This method sends the username and password with every connection, often in a way that is vulnerable to interception. If a threat actor steals these credentials, they have full access to the mailbox.

2\. Brute Force & Password Spray Attacks

The SMTP AUTH endpoint (smtp.office365.com) is a globally known, open endpoint. This makes it a primary target for automated attacks. Hackers constantly run scripts that "spray" common passwords against lists of usernames, hoping to find a match. An account with SMTP AUTH enabled is a wide-open door for these attacks.

3\. Bypassing Modern Security Policies

Basic Authentication protocols like SMTP AUTH \*\*do not support Modern Authentication\*\*. This means they cannot enforce security policies like:

• Multi-Factor Authentication (MFA)
• Conditional Access Policies (e.g., "Block sign-in from outside our country")
• Sign-in risk detection

A compromised account with SMTP AUTH enabled can be used from anywhere in the world, bypassing all your carefully crafted security layers.

4\. Source for Spam and Phishing

Once an account is compromised, attackers will use it to send thousands of spam and phishing emails from your domain. This not only harms your partners and customers but can also get your entire domain blacklisted, causing legitimate mail flow to fail.

• - -

Microsoft's Recommendation: For these reasons, the best practice is to keep SMTP AUTH \*\*disabled at the organization (tenant) level\*\* and only \*\*enable it per-mailbox\*\* for the specific accounts that absolutely require it. You should then monitor these accounts closely.

Chapter 2: How to Enable SMTP AUTH

Prerequisite: Check "Security Defaults"

Important: Security Defaults Will Block SMTP AUTH

If your organization has Security Defaults enabled in Azure Active Directory, it blocks all legacy authentication, including SMTP AUTH. Enabling it on the mailbox will not work.

You must disable Security Defaults before SMTP AUTH will function. Warning: Only disable Security Defaults if you plan to replace it with granular Conditional Access policies to protect your tenant.

Method 1: Microsoft 365 Admin Center (Per-Mailbox)

This is the simplest method for enabling SMTP AUTH for a single user.

1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com).

2. Navigate to Users > Active users.

3. Select the user you want to manage. A flyout panel will appear.

4. In the flyout panel, click the Mail tab.

5. Click Manage email apps.

6. Check the box for Authenticated SMTP.

7. Click Save changes.

This will enable SMTP AUTH for this specific user, even if it is disabled for the rest of your organization.

Method 2: Exchange Online PowerShell (Recommended for Admins)

Using PowerShell provides more control and is the only way to manage the organization-wide setting.

Step 1: Connect to Exchange Online PowerShell

First, install the module and connect to your tenant. You only need to run the \Install-Module\ command once per computer.

# Install the Exchange Online PowerShell V3 module
Install-Module -Name ExchangeOnlineManagement

# Connect to Exchange Online
Connect-ExchangeOnline

Step 2: Check Your Current Settings

Before changing anything, check your current configuration.

# Check the ORGANIZATION-WIDE setting
# True = Disabled for all mailboxes by default
# False = Enabled for all mailboxes by default
Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

# Check the setting for a SPECIFIC MAILBOX
# True = Disabled for this mailbox
# False = Enabled for this mailbox
# $null (blank) = This mailbox uses the organization-wide setting
Get-CASMailbox -Identity "user@yourdomain.com" | Format-List SmtpClientAuthenticationDisabled

Step 3: Enable SMTP AUTH (Recommended Method)

The recommended approach is to keep it disabled tenant-wide (Set-TransportConfig ... $true) and enable it only for the specific mailboxes that need it.

# RECOMMENDED: Enable SMTP AUTH for a single mailbox
# This overrides the organization setting and enables it for just this user.
Set-CASMailbox -Identity "user@yourdomain.com" -SmtpClientAuthenticationDisabled $false

Step 4: Other PowerShell Actions (Use with Caution)

These commands are for reference but are generally less secure.

# NOT RECOMMENDED: Enable SMTP AUTH for your entire organization
Set-TransportConfig -SmtpClientAuthenticationDisabled $false

# How to disable SMTP AUTH for a single mailbox
Set-CASMailbox -Identity "user@yourdomain.com" -SmtpClientAuthenticationDisabled $true

# How to reset a mailbox to use the organization-wide setting
Set-CASMailbox -Identity "user@yourdomain.com" -SmtpClientAuthenticationDisabled $null

PowerShell Command Summary

Here is a quick reference table for the most common commands.

| Goal | PowerShell Command |

| --- | --- |

| Check Org Setting | Get-TransportConfig \| fl SmtpClientAuthenticationDisabled |

| Check Mailbox Setting | Get-CASMailbox -Identity "user@domain.com" \| fl SmtpClientAuthenticationDisabled |

| Enable for Mailbox (Best Practice) | Set-CASMailbox -Identity "user@domain.com" -SmtpClientAuthenticationDisabled $false |

| Disable for Mailbox | Set-CASMailbox -Identity "user@domain.com" -SmtpClientAuthenticationDisabled $true |

| Disable for Org (Recommended) | Set-TransportConfig -SmtpClientAuthenticationDisabled $true |

Conclusion & Modern Alternatives

Enabling SmtpClientAuthentication is often a necessary step for supporting legacy hardware and applications. However, due to its significant security risks, it should be done with a "deny by default" approach: disable it everywhere and only enable it for the specific, licensed mailboxes that require it.

For any new application development or integration, \*\*avoid SMTP AUTH entirely\*\*. You should use the \*\*Microsoft Graph API\*\* or \*\*OAuth 2.0 client credentials flow\*\*. These modern methods are more secure, support MFA, and are the future-proof way to interact with Exchange Online.

© 2026 dotCLOUD. This document is for customer use. Use all settings at your own risk.