What happens to MFP scan-to-email when Microsoft disables SMTP AUTH?
When Microsoft disables SMTP AUTH Basic authentication, at the end of December 2026, any multifunction printer configured to send scanned documents through Microsoft 365 using stored credentials will stop delivering email.
Devices won't generate an error message; mail will simply fail to send.
Organizations need to audit their MFP fleet now and reconfigure affected devices to use OAuth 2.0 or connector-based SMTP relay before the deadline.
Key Takeaways
- Microsoft will disable SMTP AUTH Basic authentication by default for existing Microsoft 365 tenants at the end of December 2026, with permanent removal announced in the second half of 2027.
- Most MFPs currently use Basic auth to route scan-to-email through Microsoft 365. This configuration could break without intervention, often without any warning.
- IT administrators can identify affected devices in about ten minutes using the SMTP AUTH Clients Submission Report in the Exchange admin center.
- The migration path differs by device: newer models may support OAuth 2.0, while legacy fleets are often better served by connector-based SMTP relay.
- Organizations with mixed fleets should audit and triage now, treating this as a phased maintenance task rather than waiting until the December deadline creates time pressure.
Most offices run scan-to-email without thinking twice about it.
Someone scans an HR form, a contract, a patient intake sheet, and it lands in an inbox seconds later.
What almost no one thinks about is how that email actually leaves the printer.
Microsoft is changing that underlying mechanism, SMTP AUTH, and organizations that don't act before the deadline will find their MFPs going silent with no warning.
How MFPs Send Email Through Microsoft 365 (and Why It's About to Break)
Your multifunction printer is a scanner with a very specific limitation: it can build an email, but it can't deliver one.
Most Microsoft 365 environments use one of three methods to route MFP scan-to-email:
- SMTP AUTH (the device signs in as a mailbox using stored credentials)
- Connector-based relay (the device sends through a Microsoft 365 connector authenticated by IP address or certificate)
- Direct Send (unauthenticated, internal-only routing that introduces its own complications).
SMTP AUTH with Basic authentication has been the default for many businesses.
Basic authentication is exactly what it sounds like: a username and a password. The MFP stores those credentials and presents them every time it connects to send mail. For years, this worked fine.
The problem is that static, stored credentials are a well-documented attack surface in that it’s vulnerable to password spraying, credential theft, and brute force attempts. Microsoft has been systematically removing Basic auth from Exchange Online since 2019, and SMTP AUTH is the last holdout.
When Is Microsoft Sunsetting the SMTP AUTH?
Microsoft updated its deprecation timeline in January 2026, giving organizations additional runway.
Here’s the timeline for these changes in a nutshell.
- Through the end of December 2026, SMTP AUTH Basic authentication behavior remains unchanged for existing tenants.
- At the end of December 2026, Basic authentication for SMTP AUTH will be disabled by default, though administrators can still re-enable it if needed.
- For new tenants created after December 2026, Basic authentication will be unavailable entirely.
In the second half of 2027, Microsoft will announce the final, permanent removal date.
The extended runway is welcome, but "disabled by default" is where the real risk lives. It doesn't require a formal deadline to cause disruption. It can happen after a security hardening project, a tenant policy update, or an admin cleaning up authentication settings during routine maintenance. Devices that have been working for years stop sending email, and the first sign is usually someone standing at the printer wondering where their document went.
Why MFPs Are Uniquely Exposed to This Change
Most IT teams have a reasonable handle on which applications connect to Microsoft 365: their CRM, their ERP, their monitoring tools.
MFPs rarely make that list because they were configured during installation, handed off to end users, and largely forgotten about from an authentication standpoint.
That's the exposure. These devices are running on credentials that may belong to a shared mailbox, a service account, or, in some cases, a former employee's mailbox that was never cleaned up. Nobody recertifies MFP credentials on a regular basis the way they might review application access. And because scan-to-email just works, there's no pressure to look at it, until it stops.
How to Find Out If Your Devices Are Impacted
The good news is that Microsoft built a diagnostic tool directly into the Exchange admin center. Running it takes about ten minutes and gives you a definitive answer on which devices and accounts in your environment are still using Basic auth to submit mail.
Sign into the Exchange admin center, navigate to Reports > Mail flow > SMTP AUTH Clients Submission Report, and review what's there.
The report shows:
- Which users or service accounts are submitting mail
- Which endpoint they're using
- Whether they're authenticating with Basic auth or OAuth.
Any entry showing Basic auth is a device or workflow that needs attention before the end of 2026.
Two additional MFP security checks are worth making while you're in the admin center.
First, verify whether Microsoft 365 Security Defaults are enabled in your tenant. Security Defaults can automatically block Basic authentication across your environment, independent of individual device or mailbox settings, which means a device that appears to be working today could break the moment Security Defaults are turned on.
Second, look at the mailboxes that those devices are sending through. Shared mailboxes, retired accounts, or credentials tied to former employees create both a security and continuity risk that the migration is a good opportunity to clean up.
5 SMTP AUTH Migration Options (and How to Choose)
Once you've identified which devices are using Basic auth, you have five realistic paths forward. The right one depends on your hardware, your IT capacity, and how much disruption you can absorb.
1. OAuth 2.0
OAuth 2.0 is Microsoft's preferred direction and the cleanest long-term solution, but it's device-dependent.
OAuth uses short-lived access tokens instead of stored passwords, which eliminates the credential exposure that made Basic auth a liability. The catch is that OAuth support requires compatible firmware, and not every device has it.
Be sure you validate on one device before committing to a fleet rollout.
2. Connector-based Relay
Connector-based relay (Microsoft's "SMTP relay" method) is the most practical option for legacy fleets or mixed environments.
Instead of device credentials, the connection is authenticated by IP address or TLS certificate, and mail routes through a configured Microsoft 365 connector. It works with a broader range of hardware and doesn't require per-device firmware updates.
It does require careful IP management. If your public IP changes or your ISP flags outbound SMTP, mail flow issues can surface in ways that feel unrelated until you trace them back.
Microsoft High Volume Email (HVE)
Microsoft High Volume Email (HVE), released in April 2024, is worth considering for environments with high scan volume or primarily internal recipients. HVE is expected to continue supporting Basic Authentication until September 2028, which gives organizations additional transition time for specific use cases. However, it likely isn't the right fit for external-heavy or marketing-style sending.
Document Management Alternatives
This is worth a conversation if scan-to-email is functioning as a workaround for a workflow that should be handled differently. Organizations scanning invoices, HR packets, or intake forms into inboxes may be better served by a solution that handles capture, routing, naming, and delivery to the right system, rather than someone's inbox. SymQuest's workplace solutions include document management capabilities designed for exactly these workflows.
On-Prem Exchange Hybrid Routing
On-premises Exchange hybrid routing is a viable containment strategy if your environment already runs on-prem Exchange in hybrid with Microsoft 365.
Devices send to your internal Exchange server, which routes onward to Microsoft 365. It centralizes control without requiring immediate device changes, but it doesn't modernize authentication; it shifts the problem. It's worth considering only if hybrid Exchange is already part of your infrastructure, not as a reason to stand one up.
How to Prioritize The SMP AUTH Depreciation Migration
The best advice we can give?
Don’t wait until December to audit your devices and create a plan. Work with your managed print team now to create a plan that makes sense for your entire fleet.
Start with the Exchange admin center audit described above. That report tells you exactly how many accounts and devices are submitting via Basic auth.
From there, the work becomes a device-by-device triage: which ones can be updated to OAuth, which ones route better through a connector relay, and which ones are old enough that this is a natural conversation about replacement.
A few practical framing points for IT leaders managing this alongside other priorities.
- First, do the audit now, even if you don't act on it immediately. Knowing what you have is the prerequisite for everything else, and it takes ten minutes.
- Second, if your environment has Security Defaults enabled, or you're anticipating any tenant hardening work before December, treat the timeline as shorter than it appears. "Disabled by default" can arrive before the official date if a policy change triggers it.
- Third, OAuth configuration is per-device, not centralized, which means a fleet rollout requires coordination with your device vendor or managed services partner to validate firmware versions and test before pushing changes broadly.
For organizations managing their print environment through managed IT services, this is an area where having a partner who knows both the Microsoft 365 environment and the device fleet makes the difference between a planned transition and an emergency call on a Tuesday morning.
Get Support with Microsoft’s SMTP AUTH
The SMTP AUTH depreciation will change your scan-to-email process in your MFP.
With the extended timeline (December 2026), organizations have breathing room to build a plan that works for their entire fleet—preserving their workflows, print infrastructure, and overall security.
SymQuest's team works across both managed IT and print environments, which means we can assess your MFP fleet, identify affected devices, and map the right migration path for each one.
If you're not sure whether your scan-to-email setup is at risk, that's the right place to start.
Contact SymQuest to schedule an assessment before this becomes a fire drill.

