Microsoft SMTP AUTH Deprecation to Cause MFP Scan-to-Email Disruption

    Jay Brown
    By: Jay Brown
    July 1, 2025

    Upcoming Microsoft 365 changes are anticipated to break MFP scan-to-email functionality beginning March 1, 2026. This is a result of a security update to acceptable methods to authenticate mail traffic with your O365 environment. Read on to find out how to prepare for this change.

    How do Multifunction Devices Send Email Today?

    For organizations that have moved all mailboxes into Microsoft 365 or Office 365, specific configurations are required for multifunction devices and applications to send emails. These devices and applications create email messages, but are incapable of sending those messages without help, because they aren't email servers. The Microsoft article titled “How to set up a multifunction device or application to send email using Microsoft 365 or Office 365” describes three primary methods:

    • Client SMTP submission (e.g., SMTP AUTH): Send authenticated email using the credentials of a cloud mailbox.
    • SMTP relay: Send email as an email server through Microsoft 365 or Office 365. The connection is authenticated using an inbound connector.
    • Direct Send: Send unauthenticated email as an external email server directly to Microsoft 365 or Office 365.

    What is Microsoft Changing with SMTP AUTH?

    As described in Microsoft’s article titled “Exchange Online to retire Basic auth for Client Submission (SMTP AUTH)”:

    “Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) gradually beginning with a small percentage of submission rejections for all tenants on March 1st 2026 and reaching 100% rejections on April 30th 2026, (previously September 2025). After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email.”

    In 2019, Exchange Online began a multi-year effort to disable Basic auth. This process was completed in late 2022, with Client Submission (SMTP AUTH) being the only exception. 

    Basic auth is a legacy authentication method that sends usernames and passwords in plain text over the network. This makes it vulnerable to credential theft, phishing, and brute force attacks. Therefore, Microsoft is retiring Basic auth from Client Submission (SMTP AUTH) and encouraging customers to use modern authentication methods that are more secure.

    Many organizations are using SMTP AUTH today, which will subsequently break as a result of this change.

    How Do I Check If We Are Using SMTP AUTH Today?

    Check your SMTP AUTH Clients Submission Report for devices using legacy authentication methods by doing the following:

    1. Sign in to the Exchange admin center.
    2. In the left-hand menu, go to: 
      Reports > Mail flow > SMTP AUTH Clients Submission Report
    3. This report shows:
      a. The user or app submitting mail
      b. The SMTP AUTH endpoint used
      c. The authentication method (Basic or OAuth)
    Look in the authentication column of the report. If it says Basic, that connection is using the method that will be disabled after April 2026. If it says OAuth, you're using the modern method and will not be affected by the change.

    How Do I Prepare for the Discontinuation of SMTP AUTH?

    Now that you know which devices are using SMTP AUTH, you have four options to explore.

    • Option 1: OAuth 2.0
    • Option 2: SMTP Relay through Office 365 (Recommended)
    • Option 3: Microsoft High Volume Email
    • Option 4: Software Solutions

    As of summer 2025, we are recommending that most clients move to Option 2. See below for an overview of each option and next steps. 

    Option 1: OAuth 2.0

    OAuth 2.0 (an authorization framework) is the modern successor to Basic Authentication (an authentication method) and is a core component of what’s referred to as Modern Authentication. It reduces the risk of credential theft by using short-lived access tokens instead of long-lived usernames and passwords. These tokens can be scoped, expire quickly, and can be revoked if necessary. Modern Authentication also supports additional security features like multifactor authentication (MFA) and conditional access policies, allowing more precise control based on user identity, device, location, and risk level.

    While OAuth 2.0 is the long-term direction for securing access to cloud and web services, full support across all systems and applications (especially legacy or non-standard implementations) is still catching up. 

    Next Steps

    Microsoft guide to OAuth: Authenticate an IMAP, POP or SMTP connection using OAuth

    CAUTION: OAuth based authentication must be set on each individual MFP. This option requires a compatible MFP (not all MFPs support OAuth) and is configured on each MFP individually, not centrally managed. Firmware updates are likely required for this option to become available. Not all devices are expected to receive such patches. Last known status of support by manufacturer:

    • HP: OAuth available on HP FutureSmart 5.7 (released in August 2023) or newer
    • Canon: OAuth available on their unified Firmware Platform (uFP) v3.18 or newer
    • Lexmark: OAuth available on FW24 firmware or newer
    • Sharp: OAuth available on most of the latest models, but many older may not.
    • Konica Minolta: OAuth capabilities in testing with a limited release on version GP4-Q6, however, patches are anticipated as soon as late summer 2026.
    • Xerox: Does not currently support OAuth 2.0
    • Ricoh: Limited support of OAuth 2.0

    Option 2: SMTP Relay through Office 365 (Recommended)

    Setting up an SMTP relay is our recommended method for the average organization that may not be able to upgrade its devices to support OAuth 2.0 on its legacy fleet. 

    Instead of relying on credentials, the relay uses IP-based restrictions and TLS encryption to securely send mail through Microsoft 365. This method aligns with modern security standards, avoids the risks of credential theft, and ensures continued functionality for systems that do not support modern authentication protocols like OAuth 2.0.

    Next Steps

    Review our technical guide to setting up an SMTP relay here:

    LINK NEEDED

    Option 3: Microsoft High Volume Email (HVE)

    For use cases where emails are sent only to internal addresses, High Volume Email (HVE) is a new option in preview for Microsoft 365 customers. Released in April, 2024, HVE will continue to support Basic Authentication (e.g., SMTP AUTH) until September 2028.

    Next Steps

    Read the full article here:

    High Volume Email: Continued support for Basic Authentication & other important updates

    Option 4: Software Solutions

    Many secure, simplified, and scalable software solutions exist to enhance your print, copy, scan, and fax environment. These advanced solutions offer secure alternatives to the above for sending emails from your devices. 

    Leave It To Us

    Please reach out to our technical advisory team to learn more about the solutions offered by the Marco team.

    Contact Marco
    Topics: Copiers & Printers