Background
Many legacy applications use authenticated SMTP to send email notifications. Since most organizations use Exchange Online as their email provider, leveraging it as a mail relay for service accounts is helpful and convenient. About five or so years ago, Microsoft began enabling Security Defaults for all new tenants and, shortly after, began deprecating Basic Authentication in Exchange.
While it’s possible to utilize smtp.office365.com as a relay for appliances such as printers and scanners, this may or may not be feasible in a particular use case, as was my situation. After many hours of research, trial, and error, I’d finally worked through all the pieces to get authenticated SMTP working with Security Defaults and Modern Authentication enabled.
Prerequisites
You’ll need to ensure the following is configured for the account you want to use:
- MFA is enabled for the target user account in the Microsoft Entra admin center
- The SmtpClientAuthenticationDisabled property (Exchange Online PowerShell) is set to $false (meaning that authenticated SMTP is enabled for this user)
- Generate and record an App Password for the user
- Disable POP3 and IMAP to prevent TLS downgrade attacks (optional, but highly recommended)
Putting it All Together
Instead of targeting smtp.office365.com on port 587 as our mail relay, we’ll use [YourTenantID].protection.outlook.com on port 25 with the StartTLS property (required).
We can use PowerShell to test this:
Send-MailMessage -SmtpServer [YourTenantID].protection.outlook.com -UseSsl -Port 25 -From me@mydomain.com -To you@yourdomain.com -Subject "Test Email" -Body "Testing, 1, 2, 3?"Yes, I know the Sent-MailMessage cmdlet is obsolete and doesn’t guarantee secure connections to SMTP servers, but in this case, we’re only using it to test our settings and connectivity.
If it works, we know that any remaining fault lies with the application configuration and/or the environment it resides in, not your Microsoft 365 setup.
