You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close

Looking for the Diagnostic Utility?

Click Here For Download and Usage Instructions

Microsoft Disabling Basic Auth and how it will affect PG's use of the Office 365 SMTP Relay Service to send emails


Problem

Microsoft's upcoming plan to disable Basic Auth will disrupt the PortalGuard server's ability to send emails through the MS Office 365 SMTP relay.

From m365log.com:

"Beginning early 2022, as Microsoft rolls out the changes necessary to support this effort, they are also going to begin disabling Basic Auth for some customers on a short-term and temporary basis.

Microsoft will randomly select tenants and disable Basic Auth for all protocols for a period of 12-48 hours. After this time, these protocols will be re-enabled, if the tenant admin has not already re-enabled them using their self-service tools.  During this time all clients and apps that use Basic Auth in that tenant will be affected, and they will be unable to connect. Any client or app using Modern Auth will not be affected. Users can use alternate clients (for example, Outlook on the Web instead of an older Outlook client that does not support Modern Auth) while they upgrade or reconfigure their client apps.

How this will affect your organization:

If you receive a Message Center post between now and October 2022, informing you that Microsoft is going to disable Basic Auth for a protocol due to non-usage, or you get one saying they know you are using Basic Auth, but they intend to proactively disable it for a short period of time, and you don’t want us to disable specific protocols, you can use the new self-service feature in the Microsoft 365 admin center to opt-out and request that they leave specific protocols enabled until October 2022. Microsoft added this feature to help minimize disruptions as you transition away from using Basic Auth.

Microsoft will disable Basic Authentication beginning October 2022, and once that happens, users in your tenant will be unable to access their Exchange Online mailbox using Basic Authentication.

Read more here."

 

Solution

Even though Microsoft will be disabling Basic Auth via global tenant settings, they will still allow configuration of Basic Auth at the individual mailbox level.  Read on to learn more about what Microsoft has to say about it and see the instructions for making the configuration changes.

 

Important Background Information:

  1. When they are first created, user mailboxes receive the current global SMTP AUTH setting.
  2. The settings may not take affect immediately - some patience may be needed.
  3. Any time the global SMTP AUTH setting is changed, each mailbox will be updated to the same status and will need to be manually updated if desired.

 

From docs.microsoft.com:

The SMTP AUTH protocol is used for client SMTP email submission, typically on TCP port 587. SMTP AUTH supports modern authentication (Modern Auth).

Virtually all modern email clients that connect to Exchange Online mailboxes in Office 365 or Microsoft 365 (for example, Outlook, Outlook on the web, iOS Mail, Outlook for iOS and Android, etc.) don't use SMTP AUTH to send email messages.

Therefore, Microsoft highly recommends that you disable SMTP AUTH in your Exchange Online organization, and enable it only for the accounts (that is, mailboxes) that still require it.

There are two settings that can help you do this:

  • An organization-wide setting to disable (or enable) SMTP AUTH.
  • A per-mailbox setting that overrides the organization-wide setting.

Note that these settings only apply to mailboxes that are hosted in Exchange Online (Office 365 or Microsoft 365).


The rest of this article will explain the steps for accomplishing the organization wide and personal mailbox settings.

Organization-wide setting to disable (or enable) SMTP AUTH

  1. Download and install the EXO V2 Module (full article link)
    1. Download the EXO V2 Module from the PowerShell Gallery (link to download)
    2. Launch Microsoft PowerShell (must be v3.0 or later)
    3. Enter the following commands at the PowerShell prompt:
  • Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

 

 

  • Import-Module ExchangeOnlineManagement
  • Connect_ExchangeOnline -UserPrincipalName <YOUR_USER_PRINCIPAL_NAME> 

       NOTE: After running the “Connect-ExchangeOnLine” command below, you may have to find the Windows login popup and enter your Microsoft password.

 

 

  1. Disable SMTP AUTH in your organization (full article link)

NOTE: You can only disable (or enable) SMTP AUTH globally for your organization's tenant by using the Exchange Online PowerShell (see how to install the EXO V2 module above).

To disable SMTP AUTH globally in your organization, run the following command from PowerShell.

  •    Set-TransportConfig -SmtpClientAuthenticationDisabled $true

 

           

 

To verify that you've globally disabled SMTP AUTH in your organization's tenant, run the following command and verify that the value of the SmtpClientAuthenticationDisabled property is True.

  •         Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

 

           

 

Per-mailbox setting that overrides the organization-wide setting to disable (or enable) SMTP AUTH

  1. Open the Microsoft 365 Admin Center and navigate to 'Users' > 'Active users'
  2. Select the user (Basic Auth in this example), and in the flyout that appears, click 'Mail'.
  3. In the Email apps section, click 'Manage email apps'.
  4. Verify the 'Authenticated SMTP' setting: unchecked = disabled, checked = enabled.
  5. When you're finished, click 'Save changes' at the bottom of the “Manage email apps” flyout.

              

 

REV. 10/2021 | PortalGuard

  • 154
  • 11-Oct-2021
  • 110 Views