Microsoft SMTP AUTH Deprecation To Cause MFP Scan-to-Email Disruption (UPDATED)

Let’s start with the “how does this even work?” part.

Your MFP can scan a document and build an email message (To, From, subject line, attachment, the whole thing). But it isn’t an email server. It can’t actually deliver that message without handing it off to something that is allowed to send email.

In Microsoft 365 environments, most scan-to-email setups fall into one of three buckets:

1.  Client SMTP submission (SMTP AUTH): The device signs in like a user and sends mail “as” a mailbox 
2.  Microsoft 365 connector-based sending (often called “SMTP relay” in Microsoft docs): The device sends mail to Microsoft 365, and Microsoft 365 accepts it based on how you’ve configured the connection (typically certificate or public IP) 

3.  Direct Send: The device sends mail to Microsoft 365 without authentication, usually intended for internal mail routing 

In practice, Direct Send is rarely the right long-term solution for MFP scan-to-email. It requires email-server-level configuration and can introduce public IP reputation or blacklist risks if not implemented carefully.

Another quick note: Microsoft’s naming here trips people up. When a lot of IT folks hear “SMTP relay,” they think of a relay server (like IIS SMTP) sitting in the middle. Microsoft’s “SMTP relay” method is more like “send through Microsoft 365 using a connector,” not necessarily a separate relay box you manage.

What Is Microsoft Changing With SMTP AUTH?

If you’re using SMTP AUTH with Basic authentication, this is the part you care about.

Basic authentication is the old-school approach: username + password. Even when the connection is encrypted, password-based sign-in is a common target for password spraying and credential theft. Microsoft has been steadily pushing tenants away from that style of authentication for years.

The Updated Timeline for the Microsoft 365 SMTP AUTH Deprecation 

Updated in January, 2026, Microsoft announced that it will give teams additional time:

• Now through December 2026: Behavior stays the same.
• End of December 2026: Basic authentication for SMTP AUTH will be disabled by default for existing tenants. Admins can still re-enable it if needed.
• New tenants created after December 2026: Basic authentication for SMTP AUTH will not be available — there is no option to enable it.
• Q3 or Q4 2027: Microsoft will permanently disable Basic SMTP Authentication across all tenants.

Why This Matters Even With the Extended Runway

In real life, “disabled by default” is where surprises happen. Things work … until they don’t, often after a security change, a tenant hardening project, or a well-intentioned admin flips a setting during cleanup.

How Do I Check If We Are Using SMTP AUTH Today?

This is the best way to avoid guessing.

1. Sign in to the Exchange admin center
2. Go to: Reports > Mail flow > SMTP AUTH Clients Submission Report
3. Review:
• Who (user/app) is submitting mail
• What endpoint it used
• What authentication method it used (Basic or OAuth)

If the report shows Basic, that workflow is on borrowed time (even if it works today).
If it shows OAuth, great! You’re already on the modern path.

It’s also a good idea to verify whether Microsoft 365 “Security Defaults” are enabled in your tenant. Security Defaults can automatically block Basic authentication, even if individual mailbox settings appear to allow it.

Your 5 Best Options for the Planned Discontinuation of SMTP AUTH

Once you’ve identified the devices/apps still using Basic auth, you have a handful of paths.

As of early 2026, our default recommendation is to modernize now, so you won’t have to rush. 

It’s cheaper than an emergency project, and scan-to-email has a way of breaking right when someone needs it for an HR form or a closing packet.

Here are the options to consider:

1. OAuth 2.0
2. Microsoft 365 connector-based sending (SMTP Relay)
3. Microsoft High Volume Email (HVE)
4. Software solutions
5. On-prem Exchange hybrid routing

Option 1: OAuth 2.0

OAuth 2.0 is part of what Microsoft calls “modern authentication.” Instead of a copier storing a username and password long-term, OAuth uses short-lived access tokens. 

In plain terms, it’s generally a safer, more modern way to let devices and apps send email through Microsoft 365.

If your devices support it, OAuth is a solid long-term option.

Resources

Consult Microsoft’s guide: Authenticate an IMAP, POP or SMTP connection using OAuth

OAuth Requirements

This is the part that can get tricky: OAuth is typically configured on each MFP, not centrally.

So this option usually requires:

• A compatible MFP (not all devices support OAuth for SMTP)
• Per-device setup
• Firmware updates (often required just to make OAuth an available choice)
• Acceptance that some older devices may never receive an update that adds support

Here’s the most recent status of support by manufacturer (as of Feb 2026):

• HP: OAuth available on HP FutureSmart 5.7 (released August 2023) or newer
• Canon: OAuth available on their unified Firmware Platform (uFP) v3.18 or newer
• Lexmark: OAuth available on FW24 firmware or newer
• Sharp: OAuth is available on most of the latest models, but many older models may not support
• Konica Minolta: OAuth capabilities are in testing with a limited release on version GP4-Q6; patches are anticipated as soon as late summer 2026. Konica Minolta has released GC4-SA firmware, which includes expanded OAuth 2.0 token size limits to improve compatibility with Microsoft's authentication requirements.
• Xerox: Does not currently support OAuth 2.0 (for this scan-to-email use case)
• Ricoh: Limited support of OAuth 2.0

Keep in mind that even when a manufacturer says “OAuth supported,” it can vary by model and firmware! So it’s worth validating on one device before you commit to rolling it out everywhere.

Option 2: Microsoft 365 Connector-Based Sending (“SMTP Relay” Method) 

Have a legacy fleet? Setting up an SMTP relay might be your best bet to avoid mailbox credential dependency, and it works with a broader range of hardware.

Here’s how: Instead of relying on credentials, the relay uses IP-based restrictions and TLS encryption to securely send mail through Microsoft 365. This method aligns with modern security standards, avoids the risks of credential theft, and ensures continued functionality for systems that do not support modern authentication protocols like OAuth 2.0.

Important Security/Deliverability Notes 

Note: IP-based controls are workable, but they come with tradeoffs.

• If you authenticate based on public IP, you should treat outbound SMTP from that IP as something you protect and monitor.
• If your ISP/network environment flags outbound SMTP, you can run into mail flow issues (or reputation issues) that feel random until you trace them.
• Sometimes people hear “IP allow list” and assume it bypasses filtering. Just to clarify, it does NOT mean your mail skips scanning — it means Microsoft 365 can recognize and accept the connection under the rules you defined.
  

Next Steps

Review our technical guide to setting up an SMTP relay.
 

Option 3: Microsoft High Volume Email (HVE)

HVE works well for both internal and external recipients, but tends to be the strongest fit when the majority of traffic stays internal.

The good news? Released in April 2024, HVE is expected to continue supporting Basic Authentication (e.g., SMTP AUTH) until September 2028.

Next Steps

If you're considering HVE, here are a few things to double-check:

• The ratio of internal recipients vs external
• Expected daily volume
• Whether the use case is truly “scan-to-email” or more of an automated notification pipeline

Also, keep in mind that if you're sending high volumes to external recipients — especially marketing-style or unsolicited messages — Microsoft 365 (including HVE) may not be the right delivery mechanism. In those cases, a dedicated mass email platform is typically more appropriate to protect deliverability and IP reputation.

Option 4: Other Software Solutions

Sometimes scan-to-email isn’t really an “email configuration” problem. It’s a workflow problem wearing an email costume.

If you’re scanning invoices, AP documents, HR packets, patient forms, delivery tickets, etc., you may be better served by a document management tool that handles:

• Secure capture
• Routing rules
• Naming conventions
• Audit trails
• Delivery to the right system (not just someone’s inbox)

This can also reduce risk because you’re no longer dependent on per-device SMTP settings across a whole fleet.

Option 5: On-Prem Exchange Hybrid Routing

If you already run an on-prem Exchange server in hybrid with Microsoft 365, this can be a practical containment strategy.

Here’s how it works:

• Devices/apps send SMTP traffic to your on-prem Exchange server
• Exchange then routes mail internally or up to Microsoft 365, depending on your configuration

This approach centralizes control and can stabilize legacy systems while you modernize over time.

Just keep in mind:

• This doesn’t “modernize” the device — it shifts authentication and relay responsibility to your internal Exchange environment
• You’ll still need to properly secure and monitor internal SMTP traffic
• Maintaining on-prem Exchange solely for device relay isn’t usually worth the operational overhead

In short, this option makes the most sense if hybrid Exchange is already part of your environment, not as a long-term workaround if you’re otherwise fully cloud-based.

Related FAQs 

Skip ahead if you’d like to explore your options for making this easier for your IT team! 

What Is OAuth 2.0?

OAuth 2.0 is a modern authentication method that allows applications and devices to access email or other services without storing a permanent username and password. Instead of relying on static credentials, it uses secure, time-limited access tokens.

How Does OAuth 2.0 Work?

With OAuth 2.0, a device or application requests permission to send email.

Microsoft verifies the request and issues a short-lived access token. The device uses that token, not a stored password, to send mail. When the token expires, it must be refreshed or reapproved. That built-in expiration is part of what makes it more secure.

Why Use OAuth 2.0?

Because passwords are a major attack surface. OAuth reduces the risk of credential theft by:

• Eliminating long-term stored passwords
• Using short-lived tokens
• Supporting multi-factor authentication
• Providing better visibility and control inside Microsoft 365

It aligns with modern cybersecurity standards and is the direction Microsoft and most major platforms are moving.

What Is Basic Authentication?

Basic authentication (Basic auth) is the more traditional method of logging in with a static username and password. Devices store those credentials and present them every time they connect to send an email. Simple, but not very resilient by today’s standards.

Is Basic Auth Secure?

No, not by modern standards. Even when encrypted in transit, Basic auth relies on long-term credentials. If those credentials are compromised, attackers can reuse them until they’re changed. That’s why Microsoft has been phasing it out, and why modern authentication methods like OAuth are now the preferred approach.

Getting Help With SMTP Microsoft 365 AUTH Issues

We’ve put together additional resources from Microsoft and Setup Guides from manufacturers in our Knowledge Base.

However, if you want help mapping your current scan-to-email setup and choosing the right option per device, we’re happy to take some (or all) of this off your plate! 

Reach out to Marco’s technical advisory team to get help identifying what’s using Basic auth today, reducing the risk of a disruption, and finding the most practical path forward — without turning this into a full-blown project unless it needs to be.