Guide: Securely Allowing SMTP AUTH for a Single User

Last updated: 11/3/2025

Important Clarification: Conditional Access vs. Exchange Settings

This is the most important concept to understand:

**Conditional Access (CA)** does not **enable** protocols. It acts as a security gate that **allows** or **blocks** authentication requests.
**Exchange Online** is where you **enable** or **disable** the SMTP AUTH protocol on the mailbox itself.

To make SMTP AUTH work for one user, you must do both: 1\. Enable the protocol on the mailbox (in Exchange). 2\. Create an exception for the user in your Conditional Access policy (in Entra ID).

Critical Prerequisite: Security Defaults

You cannot use Conditional Access policies and "Security Defaults" at the same time. Security Defaults (common in newer or smaller tenants) automatically blocks all legacy authentication, including SMTP AUTH.

If **Security Defaults is ON**, you must **disable it** before this guide will work.
**Warning:** Only disable Security Defaults if you are replacing it with your own set of Conditional Access policies (like the one in this guide) to protect your tenant.

You can check this in the Microsoft Entra admin center under Identity > Overview > Properties > Manage security defaults.

[The Overall Strategy (Best Practice)](#strategy)
[Part 1: Enable SMTP AUTH on the Mailbox (Exchange)](#part1)
[Part 2: Create a "Block Legacy Auth" CA Policy (Entra ID)](#part2)

* [2.1 - Create the New Policy](#step2-1)

* [2.2 - Assign to "All users"](#step2-2)

* [2.3 - Target "All cloud apps"](#step2-3)

* [2.4 - Target Legacy "Client apps"](#step2-4)

* [2.5 - Set Grant control to "Block access"](#step2-5)

[Part 3: Exclude Your Specific User from the Policy](#part3)
[Part 4: Enable and Verify the Policy](#part4)

The Overall Strategy (Best Practice)

Creating a CA policy to allow one user is the wrong approach. The most secure and recommended method is to create a "deny by default" posture:

1. Block Legacy Authentication (including SMTP AUTH) for ALL users in your tenant.

2. Add a specific Exclusion to that policy for the one service account that needs it.

This guide shows you how to build this single, effective policy.

Part 1: Enable SMTP AUTH on the Mailbox (Exchange)

First, you must enable the protocol on the actual mailbox. This is done using Exchange Online PowerShell. (You can also do this in the M365 Admin Center, but PowerShell is faster).

Step 1: Connect to Exchange Online PowerShell

Open PowerShell and run these commands to connect.

# Install the module (if you haven't already)
Install-Module -Name ExchangeOnlineManagement

# Connect to Exchange Online
Connect-ExchangeOnline

Step 2: Enable SMTP AUTH for the User

Run the Set-CASMailbox command. This setting overrides any tenant-wide setting.

# Replace with your user's email address
Set-CASMailbox -Identity "svc-printer@yourdomain.com" -SmtpClientAuthenticationDisabled $false

Step 3: Verify the Setting

# Verify the setting is "False" (meaning, it is NOT disabled)
Get-CASMailbox -Identity "svc-printer@yourdomain.com" | Format-List SmtpClientAuthenticationDisabled

# Expected Output:
# SmtpClientAuthenticationDisabled : False

Part 2: Create a "Block Legacy Auth" CA Policy (Entra ID)

Now, we move to the Microsoft Entra admin center (entra.microsoft.com) to create the Conditional Access policy that blocks this protocol for everyone.

2.1 - Create the New Policy

1. Navigate to Protection > Conditional Access.

2. Click Policies > \+ New policy.

3. Give it a descriptive name, such as "Block Legacy Authentication".

2.2 - Assign to "All users"

1. Under Assignments, click Users or workload identities.

2. On the Include tab, select All users.

2.3 - Target "All cloud apps"

1. Under Target resources > Cloud apps or actions.

2. On the Include tab, select All cloud apps.

This ensures the policy applies to attempts to access any resource, including Exchange Online.

2.4 - Target Legacy "Client apps"

This is the most important condition. This is where you tell the policy to only look for legacy authentication attempts.

1. Click Conditions.

2. Find and click Client apps.

3. Set the Configure toggle to Yes.

4. Under Legacy authentication clients, check the box for Other clients. (This is the category that includes SMTP, IMAP, and POP).

5. Click Done.

2.5 - Set Grant control to "Block access"

1. Under Access controls, click Grant.

2. Select Block access.

3. Click Select.

At this point, you have a policy that blocks all legacy authentication for all users. Do not enable it yet.

Part 3: Exclude Your Specific User from the Policy

This is the final step to achieve your goal. Inside the same policy you are still editing ("Block Legacy Authentication"), you will add your exclusion.

1. Go back to the Assignments > Users or workload identities section.

2. Click on the Exclude tab.

3. Check Users and groups.

4. Select the user account that needs SMTP AUTH (e.g., svc-printer@yourdomain.com).

5. Click Select.

Best Practice: Use a Group

Instead of excluding individual users, it is better to create a Microsoft Entra security group (e.g., "CA\_Exclude\_LegacyAuth"). Add your service account to this group, and then exclude the group from the policy. This makes it much easier to manage exceptions in the future without editing the policy itself.

Part 4: Enable and Verify the Policy

Your policy is now complete. The final step is to enable it.

1. At the bottom of the policy page, under Enable policy, set the toggle to On.

2. Click Create (or Save if editing).

Use "Report-only" Mode First!

Before setting the policy to "On", it is highly recommended to set it to Report-only. This lets the policy run for a day or two without actually blocking anyone. You can then check the Sign-in logs in Entra ID to see who would have been blocked. This ensures you don't accidentally lock out an important application.

After enabling, you can verify it's working:

**Test the excluded account:** Your device or app using `svc-printer@yourdomain.com` should be able to send mail successfully.
**Test a normal account:** If you try to configure a POP/IMAP client (which also uses legacy auth) with a normal user account, it should be blocked. The Sign-in logs for that user will show "Failure" and list "Block Legacy Authentication" as the reason.

Guide: Securely Allowing SMTP AUTH for a Single User

Last updated: 11/3/2025

Important Clarification: Conditional Access vs. Exchange Settings

This is the most important concept to understand:

**Conditional Access (CA)** does not **enable** protocols. It acts as a security gate that **allows** or **blocks** authentication requests.
**Exchange Online** is where you **enable** or **disable** the SMTP AUTH protocol on the mailbox itself.

Critical Prerequisite: Security Defaults

If **Security Defaults is ON**, you must **disable it** before this guide will work.
**Warning:** Only disable Security Defaults if you are replacing it with your own set of Conditional Access policies (like the one in this guide) to protect your tenant.

You can check this in the Microsoft Entra admin center under Identity > Overview > Properties > Manage security defaults.

[The Overall Strategy (Best Practice)](#strategy)
[Part 1: Enable SMTP AUTH on the Mailbox (Exchange)](#part1)
[Part 2: Create a "Block Legacy Auth" CA Policy (Entra ID)](#part2)

* [2.1 - Create the New Policy](#step2-1)

* [2.2 - Assign to "All users"](#step2-2)

* [2.3 - Target "All cloud apps"](#step2-3)

* [2.4 - Target Legacy "Client apps"](#step2-4)

* [2.5 - Set Grant control to "Block access"](#step2-5)

[Part 3: Exclude Your Specific User from the Policy](#part3)
[Part 4: Enable and Verify the Policy](#part4)

The Overall Strategy (Best Practice)

Creating a CA policy to allow one user is the wrong approach. The most secure and recommended method is to create a "deny by default" posture:

1. Block Legacy Authentication (including SMTP AUTH) for ALL users in your tenant.

2. Add a specific Exclusion to that policy for the one service account that needs it.

This guide shows you how to build this single, effective policy.

Part 1: Enable SMTP AUTH on the Mailbox (Exchange)

First, you must enable the protocol on the actual mailbox. This is done using Exchange Online PowerShell. (You can also do this in the M365 Admin Center, but PowerShell is faster).

Step 1: Connect to Exchange Online PowerShell

Open PowerShell and run these commands to connect.

# Install the module (if you haven't already)
Install-Module -Name ExchangeOnlineManagement

# Connect to Exchange Online
Connect-ExchangeOnline

Step 2: Enable SMTP AUTH for the User

Run the Set-CASMailbox command. This setting overrides any tenant-wide setting.

# Replace with your user's email address
Set-CASMailbox -Identity "svc-printer@yourdomain.com" -SmtpClientAuthenticationDisabled $false

Step 3: Verify the Setting

# Verify the setting is "False" (meaning, it is NOT disabled)
Get-CASMailbox -Identity "svc-printer@yourdomain.com" | Format-List SmtpClientAuthenticationDisabled

# Expected Output:
# SmtpClientAuthenticationDisabled : False

Part 2: Create a "Block Legacy Auth" CA Policy (Entra ID)

Now, we move to the Microsoft Entra admin center (entra.microsoft.com) to create the Conditional Access policy that blocks this protocol for everyone.

2.1 - Create the New Policy

1. Navigate to Protection > Conditional Access.

2. Click Policies > \+ New policy.

3. Give it a descriptive name, such as "Block Legacy Authentication".

2.2 - Assign to "All users"

1. Under Assignments, click Users or workload identities.

2. On the Include tab, select All users.

2.3 - Target "All cloud apps"

1. Under Target resources > Cloud apps or actions.

2. On the Include tab, select All cloud apps.

This ensures the policy applies to attempts to access any resource, including Exchange Online.

2.4 - Target Legacy "Client apps"

This is the most important condition. This is where you tell the policy to only look for legacy authentication attempts.

1. Click Conditions.

2. Find and click Client apps.

3. Set the Configure toggle to Yes.

4. Under Legacy authentication clients, check the box for Other clients. (This is the category that includes SMTP, IMAP, and POP).

5. Click Done.

2.5 - Set Grant control to "Block access"

1. Under Access controls, click Grant.

2. Select Block access.

3. Click Select.

At this point, you have a policy that blocks all legacy authentication for all users. Do not enable it yet.

Part 3: Exclude Your Specific User from the Policy

This is the final step to achieve your goal. Inside the same policy you are still editing ("Block Legacy Authentication"), you will add your exclusion.

1. Go back to the Assignments > Users or workload identities section.

2. Click on the Exclude tab.

3. Check Users and groups.

4. Select the user account that needs SMTP AUTH (e.g., svc-printer@yourdomain.com).

5. Click Select.

Best Practice: Use a Group

Part 4: Enable and Verify the Policy

Your policy is now complete. The final step is to enable it.

1. At the bottom of the policy page, under Enable policy, set the toggle to On.

2. Click Create (or Save if editing).

Use "Report-only" Mode First!

After enabling, you can verify it's working:

**Test the excluded account:** Your device or app using `svc-printer@yourdomain.com` should be able to send mail successfully.
**Test a normal account:** If you try to configure a POP/IMAP client (which also uses legacy auth) with a normal user account, it should be blocked. The Sign-in logs for that user will show "Failure" and list "Block Legacy Authentication" as the reason.

Guide: Securely Allowing SMTP AUTH for a Single User

Important Clarification: Conditional Access vs. Exchange Settings

Critical Prerequisite: Security Defaults

Table of Contents

The Overall Strategy (Best Practice)

Part 1: Enable SMTP AUTH on the Mailbox (Exchange)

Step 1: Connect to Exchange Online PowerShell

Step 2: Enable SMTP AUTH for the User

Step 3: Verify the Setting

Part 2: Create a "Block Legacy Auth" CA Policy (Entra ID)

2.1 - Create the New Policy

2.2 - Assign to "All users"

2.3 - Target "All cloud apps"

2.4 - Target Legacy "Client apps"

2.5 - Set Grant control to "Block access"

Part 3: Exclude Your Specific User from the Policy

Best Practice: Use a Group

Part 4: Enable and Verify the Policy

Use "Report-only" Mode First!

Guide: Securely Allowing SMTP AUTH for a Single User

Important Clarification: Conditional Access vs. Exchange Settings

Critical Prerequisite: Security Defaults

Table of Contents

The Overall Strategy (Best Practice)

Part 1: Enable SMTP AUTH on the Mailbox (Exchange)

Step 1: Connect to Exchange Online PowerShell

Step 2: Enable SMTP AUTH for the User

Step 3: Verify the Setting

Part 2: Create a "Block Legacy Auth" CA Policy (Entra ID)

2.1 - Create the New Policy

2.2 - Assign to "All users"

2.3 - Target "All cloud apps"

2.4 - Target Legacy "Client apps"

2.5 - Set Grant control to "Block access"

Part 3: Exclude Your Specific User from the Policy

Best Practice: Use a Group

Part 4: Enable and Verify the Policy

Use "Report-only" Mode First!