How to Enable SMTP Authentication in Microsoft 365, Enable SMTP Submission

Basic authentication in Microsoft 365

The SMTP AUTH protocol is used for client SMTP email submission, typically on TCP port 587. It also supports modern authentication (Modern Auth), which is great for those with MFA enabled (which should be everyone!!).

Microsoft highly recommend that you keep SMTP AUTH disabled in your organization. You should only enable it for the mailboxes that still require it.

Having this disabled will result in things like the following not working:

Scan to email on a Multifunction printer.
Webforms authenticating against your tenancy.
Third party apps that cannot use MFA.

For example, we got the below error when trying to send an email from PowerShell.

Send-MailMessage : The SMTP server requires a secure connection, or the client was not authenticated. The server response was: 5.7.57 Client not authenticated to send mail. Error: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator. [SI2PR01CA0021.apcprd01.prod.exchangelabs.com] At line:1 char:1 + Send-MailMessage @mailParams + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpException + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage

The resolution

There are two settings that can help you do this:

Configure the organization-wide setting to enable SMTP AUTH.
Disable SMTP AUTH in the tenant level, then enable it on per-mailbox setting that overrides the tenant-wide setting.

Before you begin

If your tenant was created on or after October 22, 2019, security defaults may be enabled in your tenant. To protect all of our users, Security Defaults are being rolled out to all new tenants at creation.

Note Note: You must disable Security Defaults in Azure Active Directory, when it enabled, it’ll disable basic authentication in whole tenant, and it overwrites all other settings. It means enable SMTP Authentication will not work.

Method 1: Enable SMTP AUTH at tenant level

1. Connect to Exchange Online PowerShell or you can open Windows PowerShell Admin then run below commands:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force;
Install-PackageProvider -Name NuGet -Force;
Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted;
Install-Module -Name ExchangeOnlineManagement;
Import-Module ExchangeOnlineManagement;
Connect-ExchangeOnline;

2. Run the following command to check SMTP AUTH status:

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

SmtpClientAuthenticationDisabled property is True means the SMTP AUTH is already disabled.

PS C:\> Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

SmtpClientAuthenticationDisabled : True

3. To enable SMTP AUTH, run the following command:

Set-TransportConfig -SmtpClientAuthenticationDisabled $false

Method 2: Enable SMTP AUTH for specific mailboxes

Microsoft highly recommend that you disable SMTP AUTH in your Exchange Online organization, and enable it only for the accounts (that is, mailboxes) that still require it.

You can enable SMTP AUTH for a mailbox using following PowerShell command:

Set-CASMailbox -Identity [email protected] -SmtpClientAuthenticationDisabled $false

Or you can enable it from Microsoft 365 admin center: Go to Users > Active users > select the user > click Mail > click Manage email apps and verify the value of Authenticated SMTP (checked = enabled, unchecked = disabled).