Microsoft is deprecating Basic Authentication for SMTP in Microsoft 365. For many organizations, this won’t just be a technical change — it will break printers, scanners, legacy applications, embedded devices, and older systems that cannot use Modern Authentication.
If you rely on SMTP Basic Auth today, you’ll need a plan.
This post walks through the real-world options, with honest advantages and trade-offs, so you can choose what fits your environment.
What’s changing?
Microsoft is removing Basic Authentication because it:
- Can’t properly scope access
- Lacks modern identity and policy controls
- Makes enforcing Conditional Access and Zero Trust harder
From Microsoft’s perspective, this makes sense. But in reality, many environments still depend on systems that cannot use OAuth or Modern Auth, including:
- Multi-function printers and scan-to-email devices
- Legacy ERP, monitoring, and ticketing systems
- Embedded and industrial devices
- Older applications with no upgrade path
So what are your actual options?
Option 1 — Run your own SMTP server
You can deploy and operate your own SMTP server (Postfix, Exchange Server, Sendmail, etc.), authenticate devices locally, and relay mail to Microsoft 365.
Advantages
- Full control over authentication and policy
- Works with almost any legacy device
- No vendor lock-in
Trade-offs
- You now operate mail infrastructure
- Deliverability, spam handling, reputation, and abuse prevention become your responsibility
- You introduce a parallel email system outside Microsoft 365
- Higher long-term operational and security overhead
- More compliance and auditing complexity
Best for: Teams already comfortable running mail infrastructure and managing email security.
Option 2 — Use a third-party SMTP relay SaaS
Many cloud providers offer SMTP relay services for transactional and application email.
Advantages
- Easy to set up
- No mail server maintenance
- Often strong deliverability and reliability
Trade-offs
- Mail leaves Microsoft 365 entirely
- Compliance, data residency, and auditing may become more complex
- Adds another vendor dependency
- Not ideal for internal or mailbox-bound email
- Introduces a separate outbound mail pipeline
Best for: External or non-sensitive transactional email workloads.
Option 3 — Replace or modernize legacy systems
If possible, migrate senders to:
- OAuth-capable mail clients
- Microsoft Graph
- Updated vendor software
Advantages
- Fully aligned with Microsoft’s long-term strategy
- No workaround or compatibility layers
- Most future-proof option
Trade-offs
- Often expensive or slow
- Hardware replacement may be required
- Some legacy systems cannot be upgraded
- Real-world modernization timelines are long
Best for: Organizations already planning application or hardware modernization.
Option 4 — Use Azure Communication Services Email (Microsoft)
Microsoft now offers Azure Communication Services (ACS) Email, positioned as a supported alternative to Exchange SMTP AUTH. It supports Basic authentication and is designed for high-volume email sending.
Microsoft explicitly documents migrating SMTP workloads from Exchange to ACS.
Advantages
- Microsoft-native platform
- Supports SMTP relay with Basic Auth
- Designed for high-volume transactional email
- No Exchange mailbox licensing required
- Scales well for application- or device-generated email
- Microsoft-recommended migration path
Trade-offs
- Setup can be complex (Azure resources, Entra ID apps, DNS, SMTP identity mapping)
- Some legacy devices fail due to long SMTP username constraints
- Email does not live inside Exchange Online mailboxes
- Focused on sending, not mailbox or IMAP workflows
- Introduces a parallel outbound email pipeline separate from Microsoft 365 mailboxes
- Product is newer and still evolving
Best for: Organizations that want a Microsoft-native SMTP relay and are comfortable running a separate email sending pipeline outside Exchange Online.
Option 5 — Use lette.io (keep all mail inside Microsoft 365)
lette.io is built specifically for organizations that need to keep legacy SMTP and IMAP working — without running a parallel mail server and without moving mail outside Microsoft 365.
Instead of replacing Exchange Online, lette.io acts as a compatibility and authentication bridge:
- Legacy clients continue using SMTP and IMAP
- Authentication is handled securely
- Access is scoped to mail only
- All mail stays in Exchange Online — no split infrastructure
Advantages
- No separate SMTP or IMAP server to operate
- No mail leaving Microsoft 365
- Works with printers, scanners, legacy apps, and older clients
- Preserves Microsoft 365 compliance, auditing, and mailbox semantics
- Centralized management and monitoring
- Avoids creating a parallel mail system
- Flexible, mailbox-based licensing — scale up or down anytime, cancel when you no longer need it
Trade-offs
- External SaaS dependency
- Focused on legacy IMAP/SMTP — not a general mail server replacement
- Designed as a compatibility layer, not a full MTA
Best for: Teams that want Microsoft 365 to remain the single source of truth while keeping legacy workflows alive.
Comparing the real-world options
| Option | Mail stays in Exchange Online | Works with legacy SMTP | Complexity | Parallel mail pipeline |
|---|
| Run your own SMTP server | no | yes | High | yes |
| SMTP relay SaaS | no | yes | Low–Medium | yes |
| Modernize systems | yes | no | High | no |
| Azure ACS Email | no | yes | Medium–High | yes |
| lette.io | yes | yes | Low | no |
Choosing the right path
There is no universal best answer. The right choice depends on:
- How many legacy systems you must support
- Compliance and data residency requirements
- Internal operational capacity
- Whether you can tolerate a parallel email pipeline
- How long legacy workflows must remain operational
What matters most is avoiding rushed, fragile workarounds once Microsoft’s deadline arrives.
Final thought
SMTP Basic Auth going away doesn’t mean legacy email must stop working — but it does require a deliberate architectural decision.
Whether you self-host, use Azure Communication Services, rely on a third-party relay, modernize applications, or adopt a compatibility layer like lette.io, the best outcome is one where:
- Email remains secure
- Operations stay manageable
- Microsoft 365 remains the source of truth
If you want to explore how lette.io fits into your environment, you can start a free trial or reach out — we’re happy to discuss real-world scenarios.
