SMTP Authentication with Microsoft’s 365 Exchange On-line Suddenly Disrupted?

Microsoft has been engaged in the removal of Basic Authentication from their Exchange On-line systems for almost a year. The final cutoff is currently set for October of 2022. Some business applications and devices like scanners logon to the cloud with their own user account to deliver their messages. Older apps and machines that impersonate a Microsoft 365 user in this way may not support MFA (Multi-Factor Authentication), aka 2FA.

In preparation for decommissioning the basic logon protocol, Microsoft has begun modifying the SmtpClientAuthenticationDisabled attribute for Tenants and mailboxes they’ve deemed to not be using it anyway. According to their documentation, they will post a notification in the Message Center before making the changes to your organization’s subscription. We’ve received multiple reports of this change effecting established systems that are used every day with no message being seen in the Microsoft portal.

If you find that your apps, MFPs, or other non-Outlook email clients have suddenly stopped working, there are some useful PowerShell commands that will help you diagnose the situation. You can also re-enable SMTP authentication for either your entire Org or for individual mailboxes. Most of this information is outlined in another Microsoft Document.

To check the SMTP Authentication status of an Exchange On-line subscription, logon from a PowerShell session in your favorite terminal app. The instructions in this post assume that you have already installed the new EXO V2 PowerShell module.

To check settings for the organizational level, run the command below. An output of True means the authentication is disabled at the top level. This is not the whole story. Each mailbox can also have its own setting. The top-level only applies when a mailbox’s corresponding attribute is blank.

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

If the mailbox SmtpClientAuthenticationDisabled attribute is set to a value other than $null (empty in the report you generate below), it overrides to top-level command. Use this one-liner to generate a report showing each account’s setting.

Get-CasMailbox | Select DisplayName, PrimarySmtpAddress, SmtpClientAuthenticationDisabled

To change the Organizational (default) level, execute the following line in your console. Change the value at the end from $true to $false to fit your desired outcome.

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

To modify individual mailboxes, you’ll need the email address. The SmtpClientAuthenticationDisabled value can be set to $true (disable SMTP auth), $false (enable SMTP auth), or $null (use ORG level).

Set-CASMailbox -Identity -SmtpClientAuthenticationDisabled $true 

Use this simple script to modify all of your mailboxes at once, the same values apply here. Note: if you are at a larger company, you may need to add the ResulteSize Unlimited switch. As written, it will enable SMTP Authentication for all mailbox accounts.

$mailboxes = Get-CasMailbox|Select-Object PrimarySmtpAddress -ExpandProperty PrimarySmtpAddress

Foreach ($mailbox in $mailboxes){
    Set-CasMailbox -identity $mailbox -SmtpClientAuthenticationDisabled $false

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s