Microsoft disabling Basic Auth and how it will affect PG's use of Office 365's SMTP Relay Service for sending emails

Microsoft disabling Basic Auth and how it will affect PG's use of Office 365's SMTP Relay Service for sending emails

Problem

Microsoft's upcoming plan to disable Basic Auth will interfere with PortalGuard's ability to send emails via the MS Office 365 SMTP relay.

From m365log.com:

Starting in early 2022, Microsoft will also temporarily disable Basic Auth for some customers while it implements the changes necessary to support this effort.

Microsoft will randomly select tenants and disable Basic Auth for all protocols for a period of 12 to 48 hours. If the tenant admin has not already enabled these protocols with their self-service tools, they will be re-enabled after this period.  All clients and apps using Basic Auth in that tenant will be affected during this period, and they will not be able to connect. Clients and apps using Modern Auth will not be impacted. While upgrading or reconfiguring their client apps, users can use alternate clients (for example, Outlook on the Web instead of an older Outlook client that does not support Modern Auth).

This will affect your organization in the following ways:

The new self-service option in the Microsoft 365 admin center allows you to opt-out and request that certain protocols remain enabled until October 2022 if you receive an Message Center post about Microsoft disabling Basic Auth for a protocol between now and then, or if Microsoft sends you a message saying they intend to disable Basic Auth for a short period of time. It was added by Microsoft to minimize disruptions during the transition from Basic Auth to Windows Authentication.

After October 2022, Microsoft will disable Basic Authentication, and users in your tenant will not be able to access their Exchange Online mailbox using Basic Authentication.

Solution

The configuration of Basic Auth will still be available at the mailbox level even though Microsoft will disable it via global tenant settings.  Discover what Microsoft says about it and how to change the configuration.

Important Background Information:

  1. When user mailboxes are created, they receive the current global SMTP AUTH setting.
  2. It may take some time for the settings to take effect - patience is required.
  3. If the global SMTP AUTH setting is changed, each mailbox will be updated to the same status, and it will need to be manually updated if necessary.

From docs.microsoft.com:

Clients submit email using the SMTP AUTH protocol, which runs on TCP port 587. Modern authentication (Modern Auth) is supported by SMTP AUTH.

The majority of modern email clients (for example, Outlook, Outlook on the web, iOS Mail, and Outlook for iOS and Android, etc.) do not use SMTP AUTH when sending email messages to Exchange Online mailboxes in Office 365 or Microsoft 365.

Therefore, you should disable SMTP AUTH in your Exchange Online organization, and enable it only for those accounts (that is, mailboxes) that still require it.

There are two settings that can help you do this:

  • SMTP authorization can be disabled (or enabled) at the organization level.
  • A setting per mailbox that overrides the organization-wide setting.

These settings apply only to mailboxes that are hosted in Exchange Online (Office 365 or Microsoft 365).

The rest of this article will explain the steps for accomplishing the organization wide and personal mailbox settings.

Disable or enable SMTP authentication organization-wide

  1. Install the EXO V2 Module


  1. The EXO V2 Module can be downloaded from the PowerShell Gallery (link to download)
  2. Open Microsoft PowerShell (version 3.0 or later)
  3. At the PowerShell prompt, type the following commands:

"Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser


  • Import-Module ExchangeOnlineManagement
  • Connect_ExchangeOnline -UserPrincipalName"

2.Disable SMTP AUTH in your organization

NOTE: SMTP AUTH can only be disabled (or enabled) through the Exchange Online PowerShell (see how to install the EXO V2 module above).

Run the following PowerShell command to disable SMTP AUTH globally in your organization.

"Set-TransportConfig -SmtpClientAuthenticationDisabled $true"


Verify that the SmtpClientAuthenticationDisabled property is set to True in your organization's tenant by running the following command.

"Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled"


Per-mailbox setting that overrides the organization-wide setting to disable (or enable) SMTP AUTH

1.Visit the Microsoft 365 Admin Center and select 'Users' > 'Active users'


2.In the flyout that appears, click 'Mail' for the selected user (Basic Auth in this example).


3.Verify that the 'Authenticated SMTP' setting is enabled: unchecked = disabled, checked = enabled.


4.On the "Manage email apps" flyout, click "Save changes" when you're done.