Simple Mail Transfer Protocol Authentication SHALL Be Disabled

Description

Modern email clients that connect to Exchange Online mailboxes—including Outlook, Outlook on the web, iOS Mail, and Outlook for iOS and Android—do not use Simple Mail Transfer Protocol Authentication (SMTP AUTH) to send email messages. SMTP AUTH is only needed for applications outside of Outlook that send email message.

Policy

• SMTP AUTH SHALL be disabled in Exchange Online

• SMTP AUTH MAY be enabled on a per-mailbox basis

Licensing Considerations

This setting can be configured in any Microsoft tenant.

Set Up Instructions

SMTP AUTH can only be disabled tenant-wide using Exchange Online PowerShell. To do so, follow the instructions listed at Disable SMTP AUTH in your organization | Microsoft Docs.

To enable SMTP AUTH on a per-mailbox basis, follow the instructions listed at Use the Microsoft 365 admin center to enable or disable SMTP AUTH on specific mailboxes | Microsoft Docs.

End-User Impact

This will vary depending on the organization and what existing mail infrastructure looks like. This can be impactful if you have scanners, printers, or Line-of-business (LOB) applications leveraging SMTP auth for message relay. To avoid any issues here, follow these steps.

PowerShell Scripts

Changing Modern Auth Settings: https://www.cyberdrain.com/automating-with-powershell-changing-modern-and-basic-authentication-settings/

Basic Auth Reporting: https://github.com/msp4msps/Basic-Authentication-Reporting

Videos