Microsoft has announced upcoming security changes in Microsoft 365 that will likely interrupt scan‑to‑email features on many multifunction printers (MFPs) beginning March 1, 2026. These updates affect how devices authenticate when sending email through Microsoft 365. Below is an overview of what’s changing and how you can prepare.
How MFPs Typically Send Email
Organizations that have fully moved their mail services to Microsoft 365 or Office 365 must configure their multifunction devices and applications in a specific way to send email. While MFPs can generate the email message, they cannot deliver it on their own—these devices depend on Microsoft’s mail servers to complete the process.
Microsoft outlines three commonly used methods:
1. Client SMTP Submission (SMTP AUTH)
Uses a mailbox username and password to authenticate and send email.
2. SMTP Relay
Allows the device to connect as if it were a mail server. Authentication occurs through an inbound connector rather than user credentials.
3. Direct Send
Sends email without authentication directly to Microsoft 365, treating the device like an external server.
What Is Microsoft Changing About SMTP AUTH?
Microsoft is retiring Basic Authentication for SMTP AUTH. According to Microsoft’s announcement:
- A gradual phase‑out begins March 1, 2026, with a small percentage of requests being rejected.
- The transition completes April 30, 2026, when 100% of Basic Authentication SMTP AUTH requests will be denied.
Once this happens, any device or application still relying on Basic Authentication will no longer be able to send email unless it switches to OAuth or another supported method.
Microsoft has been eliminating Basic Authentication across its services for several years because it transmits credentials in an insecure format. SMTP AUTH was the last protocol still exempt—until now.
This means many organizations still using SMTP AUTH today will experience failures unless they make changes ahead of time.
How to Check Whether Your Devices Are Using SMTP AUTH
You can verify which devices or applications depend on SMTP AUTH by reviewing the SMTP AUTH Client Submission Report in the Exchange admin center.
Steps:
- Sign in to Exchange admin center.
- Navigate to Reports → Mail flow → SMTP AUTH Clients Submission Report.
- Review the following details in the report:
- The user or application sending mail
- The SMTP AUTH endpoint used
- The authentication method shown—Basic or OAuth
If the authentication method shows Basic, that device will stop functioning once Basic Authentication is removed.
If it shows OAuth, you’re already using modern authentication and will not be impacted.
How to Prepare for the End of SMTP AUTH
After identifying which devices rely on SMTP AUTH, organizations generally have four paths forward.
Option 1: Move to OAuth 2.0 (Modern Authentication)
OAuth 2.0 replaces Basic Authentication and uses short‑lived access tokens instead of stored credentials. It supports MFA, conditional access, and granular security policies.
However, there are limitations:
- Support varies widely between manufacturers.
- Each MFP must be configured individually.
- Firmware updates may be required, and some models will never receive them.
Current manufacturer support examples:
- HP: Supported on FutureSmart 5.7+
- Canon: Supported on uFP 3.18+
- Lexmark: Supported on FW24+
- Sharp: Supported on most newer models
- Konica Minolta: Limited rollout, expected wider availability in late summer 2026
- Xerox: No current OAuth 2.0 support
- Ricoh: Partial support only
Option 2: Set Up an SMTP Relay Through Microsoft 365 (Recommended)
For most organizations—especially those with older devices—SMTP relay is the most practical solution.
SMTP relay uses:
- IP address restrictions
- TLS encryption
This removes reliance on device credentials and ensures continued compatibility even for devices that do not support OAuth.
Option 3: Use Microsoft High Volume Email (HVE)
If your MFPs only need to send messages internally, Microsoft’s High Volume Email (HVE) service may be an option.
HVE:
- Entered preview in April 2024
- Allows Basic Authentication through September 2028
- Works only for internal mail delivery scenarios
Option 4: Explore Software-Based Alternatives
A wide range of software platforms offer more secure and centralized ways to handle scan, fax, and email workflows. Many of these tools eliminate the need to configure email settings directly on each device.
Need Help? We’ll Handle It.
If you need guidance choosing the right option or configuring your devices, our technical advisory team is ready to help. We also maintain an extensive knowledge base with Microsoft resources and manufacturer setup guides for additional support.
