Exchange Online to Cut Off Some Devices and Apps Starting This Fall

Mary Jo Foley is the Editor in Chief at Directions on Microsoft. Before joining Directions, Mary Jo has worked as... more

Exchange Online will block Basic Authentication for SMTP client submission beginning in Sept. 2025, cutting off some devices and applications unless customers take action. At potential risk are devices such as mail-enabled document scanners and multifunction printers offering “scan to mail.” Applications that send e-mail alerts to groups of individuals, such as CRM applications notifying salespeople of a particular change, also could be impacted.

But never fear: Microsoft is here to save you from your security insecurities – for extra fees, of course.

Microsoft announced the Sept. 2025 Basic Authentication shutdown date last April, citing security risks as the cause. Microsoft gradually has been removing support for Basic Authentication and warning developers against it for years, saying the protocol is too vulnerable to brute force attacks.

Time to Go ‘Modern’?

Customers have several options to prevent mail cutoffs caused by the end of Basic Authentication. Generally, all users should be working to update e-mail senders to use “Modern Authentication,” while building interim solutions to deal with Basic Authentication senders still in use.

Modern Authentication is Microsoft’s name for a set of more secure authentication protocols based on the OAuth 2.0 protocol. With an upgrade to Modern Authentication, a device or app can send mail through Exchange Online to internal and external recipients with minimal other changes.

Many older devices and applications don’t work with Modern Authentication and cannot be upgraded. Conveniently, Microsoft does offer two e-mail services that accept SMTP client submission with Basic. However, both cost extra. (Got to keep those $20 billion USD-plus of Microsoft Security revenues coming in from somewhere)

Other Options (for a Fee)

The two ways Microsoft is offering to upsell you:

High Volume Email for Microsoft 365 (HVE). This paid add-on to Exchange Online, in preview, accepts SMTP client submissions with Basic Authentication. But HVE, which Microsoft has said will be generally available in Sept. 2025, can only deliver to internal recipients in Exchange Online. As announced earlier this month, Microsoft plans to permit Basic Authentication with HVE until Sept. 2028. Customers get three more years of using a less-secure authentication mechanism, as long as they are willing to pay. Win-win?

Azure Communication Services. This option offers video and voice calling over IP, SMS text, chat, and e-mail services that developers can build into applications. The e-mail services can accept SMTP client submission with Basic Authentication. Unlike HVE, Azure Communication Services can deliver to recipients inside and outside the customer organization, and the service already is generally available. But it doesn’t offer the same exact security, availability and privacy guarantees as Exchange Online.

Well-established third-party solutions such as Intuit Mailchimp and Twilio SendGrid are available, too, but they’ll also cost you extra.

“Microsoft deserves credit for campaigning against Basic Authentication all those years,” says Rob Helm, a Directions analyst. “I hate to see it slowing down just short of the goal to sell tickets.”