Microsoft missed its April 30, 2026 SMTP AUTH deadline

April 30, 2026 was supposed to be the day Microsoft 365 stopped accepting passwords from email-sending devices over SMTP AUTH. It did not happen. On January 27, 2026, the Exchange team quietly postponed enforcement to the end of December 2026, citing real-world migration pain. Anyone who scrambled to reconfigure scanners, printers, and line-of-business apps to OAuth this spring was on the right track — anyone who did not now has eight more months before the actual cutover.

What was supposed to happen yesterday

Microsoft had announced that on April 30, 2026, all Basic authentication SMTP AUTH connections to Exchange Online would be rejected with the error “550 5.7.30 Basic authentication is not supported for Client Submission.” The plan was a phased rollout starting March 1, 2026, ramping to 100% rejection by April 30. That plan was reversed three days before the March 1 phase-out began.

The original deprecation notice went up on the Microsoft Tech Community Exchange blog on April 15, 2024, with a hard end date of September 2025. (Source: Microsoft Tech Community, April 15, 2024.) Microsoft pushed it once to April 30, 2026, then on January 27, 2026 pushed it again to end-of-December 2026 in an “Updated Exchange Online SMTP AUTH Basic Authentication Deprecation Timeline” post. (Source: Microsoft Tech Community, January 27, 2026.)

The reason given by Microsoft, in the company’s own words, was that organizations face “real challenges modernizing legacy email workflows.” MVP Tony Redmond, in his January 29, 2026 write-up at Office 365 IT Pros, read the climbdown as recognition that updating legacy systems — printers, ERP modules, custom scripts — to OAuth requires substantially more effort than Microsoft initially estimated. (Source: Office 365 IT Pros, January 29, 2026.)

Why this matters for end users and SMBs

If you run a small business on Microsoft 365 and your office printer scans-to-email, your accounting software emails invoices, or a backup tool sends alerts, those flows almost certainly use Basic auth over SMTP AUTH. The April 30 reprieve does not cancel the migration — it postpones it. Devices that vendors have not patched will eventually fail, and the new soft-deadline is December 31, 2026.

Basic authentication is the password-in-the-clear method that has shipped with SMTP since the 1990s. The credentials are technically encrypted by TLS in transit, but the password itself sits in the device’s configuration file or firmware, plain and reusable. Phishing kits and credential-stuffing scripts have been harvesting those passwords for two decades. Microsoft started turning Basic auth off for IMAP, POP, and EWS years ago — Client Submission SMTP was the last protocol still allowed in.

The class of devices and apps that depend on Basic auth is wide and quiet. Multifunction printers and scanners with scan-to-email firmware. Monitoring tools, network security appliances, and backup systems that send alert emails. ERP and accounting platforms — including older Business Central and NAV deployments — with hardcoded SMTP credentials. Custom Python or PowerShell scripts written by an admin who has since left the company. (Source: SMTP2GO, February 10, 2026.)

What the new timeline actually says

The revised plan has four checkpoints: nothing changes through December 2026; on December 31, 2026 Basic auth for SMTP AUTH is disabled by default for existing tenants but admins can re-enable it; new tenants from January 2027 onward will not have the option at all; and the final removal date for everyone will be announced sometime in the second half of 2027.

In practice that means three things. Existing Microsoft 365 customers have eight months from today to inventory and migrate. New tenants spun up from 2027 forward simply will not be able to use Basic auth on SMTP — vendors selling devices into those accounts have a hard deadline. And anyone who reads the December 2026 disable as a final shutdown is wrong: an administrator who flips the toggle back on will keep their legacy gear running until the still-unannounced 2027 final date.

The official alternatives Microsoft lists are unchanged. Update the device or app to OAuth-aware SMTP AUTH. Switch to High Volume Email for Microsoft 365 for internal-only flows. Or use Azure Communication Services Email for flows that hit external recipients. None of those are free or zero-effort, which is why the deadline keeps moving.

What to do this week

Open the Exchange Admin Center, run the SMTP AUTH Clients report, and you will see exactly which devices and apps still authenticate with a password. That list is your migration backlog. Pick low-risk targets first — a single test printer, one report-generator script — confirm OAuth works, then expand. The window is comfortable but not infinite.

I have done this drill on three different Microsoft 365 tenants in the last month. The pattern is identical: between three and twelve devices show up in the report, half of them are printers nobody remembers configuring, and one or two are line-of-business tools whose vendors quietly shipped an OAuth update in 2024 that nobody installed. The report is the cheapest hour of email hygiene you will spend this quarter.

For Gmail-side comparisons, see our coverage of Gmail’s bulk sender requirements. For a rundown of which desktop clients already speak OAuth cleanly to Microsoft 365, our best email clients for Windows 2026 guide covers the field.

The April 30 deadline came and went without enforcement. December 31 will not be the same kind of soft drop. Plan accordingly.

Alexis Dollé

Founder & Editor

Alexis Dollé, email expert for 10+ years. Founder of Email Tools. I test every email client and utility myself, then write about them the way I’d explain them to a friend — no marketing fluff, no sponsored rankings, every claim sourced.

Frequently asked questions

Did Microsoft kill Basic auth for SMTP AUTH on April 30, 2026? — no, it postponed enforcement to end of December 2026

No. On January 27, 2026, Microsoft postponed the deadline. Basic auth for SMTP AUTH in Exchange Online now remains available through the end of December 2026, and even after that date administrators can still re-enable it on a tenant. The original April 30, 2026 cutover never happened.

What is SMTP AUTH Basic authentication, in plain terms? — password-in-config legacy login

It is the legacy login method where a device or app sends a Microsoft 365 username and password in plain text over an encrypted SMTP connection to relay email. Modern OAuth uses tokens instead, so the password never travels with each message.

What devices and apps are most at risk? — printers, monitoring tools, ERP, scripts

Multifunction printers and scanners with scan-to-email, monitoring and backup tools that send alert emails, ERP and accounting systems with hardcoded credentials, and small line-of-business apps that vendors have not updated to OAuth.

What is the new deadline? — December 31, 2026 soft cutover, final removal in 2027

End of December 2026 for existing tenants, after which Basic auth for SMTP AUTH will be disabled by default but still re-enableable by an administrator. New Microsoft 365 tenants created from January 2027 will not have the option at all. Microsoft says it will announce the final removal date in the second half of 2027.

What is the error message if Basic auth is rejected? — 550 5.7.30

550 5.7.30 Basic authentication is not supported for Client Submission. If you see that bounce, the sending device is using the legacy method against a tenant where it has already been disabled.

What should I do as an SMB owner today? — run the SMTP AUTH Clients report

Run the SMTP AUTH Clients report in the Exchange Admin Center to see which devices still use Basic auth, then plan a switch to OAuth, to High Volume Email for Microsoft 365 (internal), or to Azure Communication Services Email (internal and external). Test before December.

Sources