Microsoft has once again updated its timeline for the decommissioning of Basic Authentication for SMTP AUTH in Exchange Online, providing organizations with additional time, but also a clearer signal that the change is inevitable.
For businesses still relying on legacy email authentication methods, this update reinforces the importance of planning a transition to more secure alternatives.
A Quick Recap: How the Timeline Changed
Microsoft originally announced that Basic Authentication for Exchange Online SMTP AUTH would be disabled in September 2025. In response to customer feedback and adoption challenges, that deadline was later extended to April 2026, giving organizations more runway to modernize email workflows.
Now, Microsoft has released a more refined, phased timeline that outlines exactly what organizations can expect moving forward.
The Updated Microsoft Timeline
According to Microsoft’s latest guidance:
- Now through December 2026
SMTP AUTH Basic Authentication behavior remains unchanged for existing tenants. - End of December 2026
SMTP AUTH Basic Authentication will be disabled by default for existing tenants. Administrators will still be able to manually re-enable it if needed. - New tenants created after December 2026
SMTP AUTH Basic Authentication will be unavailable by default. OAuth will be the only supported authentication method. - Second half of 2027
Microsoft will announce the final removal date for SMTP AUTH Basic Authentication.
This phased approach gives organizations more time to plan, test, and deploy modern authentication, but it also makes clear that Basic Auth is on a defined path to retirement.
Why Microsoft Is Phasing Out Basic Authentication
Basic Authentication transmits usernames and passwords in plain text, making it significantly more vulnerable to credential theft, phishing, and brute-force attacks. Microsoft has been systematically removing Basic Auth across its services as part of a broader security initiative.
Modern authentication methods such as OAuth 2.0 provide stronger protection, support conditional access policies, and reduce the risk of unauthorized access.
What This Means for Email and Fax-to-Email Workflows
Many organizations still depend on SMTP-based workflows for applications, devices, and fax-to-email communications. As Microsoft continues to tighten security defaults, these workflows must be evaluated to ensure they remain reliable and compliant.
Waiting until Basic Authentication is disabled by default can lead to unexpected disruptions, especially for unattended systems, legacy applications, and healthcare or regulated environments where uptime is critical.
How Fenestrae Helps Organizations Prepare
Fenestrae works closely with customers to ensure email and fax workflows remain secure, compliant, and aligned with Microsoft’s evolving requirements. Our solutions are designed to support modern authentication approaches and reduce reliance on legacy protocols that are being phased out.
Whether you are preparing for OAuth adoption or reviewing existing integrations, now is the right time to assess your environment and plan the transition, before Basic Authentication becomes unavailable by default.
Talk to Fenestrae Today
Microsoft’s latest update offers more time, but not a permanent reprieve. The message is clear: Basic Authentication is being retired, and organizations that act early will avoid disruption and strengthen their security posture in the process.
If you have questions about how these changes may impact your faxing or messaging workflows, talk to the Fenestrae team.
