How to send emails using Office 365 SMTP AUTH, HELP! — Part 1 — SMTP Auth without MFA
This is a common issue nowadays where a lot of people have been moving to Office 365 and the cloud in general, moving massively and aggressively with the pass and advance of the pandemic covid-19 worldwide, many printers, scanners, and other output devices have been working for days until they needed to be updated into the cloud.
I think this series to help you go thru every single configuration you need to keep in mind to make the SMTP Authentication work for your particular case; no matter how much experience you have with office 365 or powershell, I will guide you step by step with captures, codes and also the question section at the end of this article to help you with and if you still can’t you can hire me to lead your way to solve this issue over my upwork’s profile but don’t get me wrong, the whole idea of this series it’s that you can fix this issue for your peace of mind.
I have worked on this issue for a lot of issues, in several languages, for at least the last year worldwide, so I will assume the following is TRUE:
- You are moving or are already moved to Office 365
- You count with subscriptions and licenses on Office 365 that contains Exchange Online Plan 1 (Office 365 essentials, business standard, standard premium) or Exchange Online Plan 2 (O365 E1, E3, or E5).
- You are a GLOBAL ADMIN on your office 365 account; if you don’t comply with this requirement, you still can read and learn how to deal with the issue, and if your global admin doesn’t accurately deal with and solve this issue, you can help him/her out, at the end of the time we all are human. We don’t ignore the same things.
- You have zero knowledge of Powershell or anything related to it.
- You are working under windows 10, any edition.
- On your Windows 10, you have at least the default Powershell Version (Powershell 5.1)
General Knowledge of the problem
Before going straight into the troubleshooting steps, I would like to let you know some more information about Office 365.
Note: Curiosity all Office 365 tenants have an Azure Active Directory behind (you can check it out by going into https://portal.azure.com once you’ve logged into Office.com with your global admin account).
SMTP Authentication can be configured at the tenant level and the user’s level. The first one is a configuration globally for all the accounts to allow or deny the SMTP connections and sending emails. Now, the SMTP authentication at the user’s level usually doesn't contain any information. It’s usually set as EMPTY, which means that it will take the Tenant’s configuration for that particular user.
Note: If you prefer to go to the source and avoid all that I will tell in this article, you can go to https://docs.microsoft.com/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365 and read the SMTP Auth option 1.
One last note and fact, SMTP Authentication only accepts “Basic authentication”: Username (UserPrincipalName or Email on the O365 context) and a password.
The Problem 1 — SMTP Authentication without MFA
The problem basically it’s when you are using any CLIENT Application (Outlook, Powershell, Any 3rd party app that sends an email: WordPress, PHP, your web page, your printer, your scanner, etc.); and you get some problems with the Authentication, and finally, the account that you would like to use doesn’t have Multi-Factor Authentication (MFA) Enabled.
In case that you are too curious about how to use Powershell as an SMTP client, here’s my other article where you can see exactly what I’m running to get that error: https://j0rt3g4.medium.com/how-to-send-emails-from-powershell-using-an-smtp-service-b6e6024614fe
Troubleshooting the Problem 1
Once your email client hits this error, there is a clear way to solve it. Since you don’t have Multi-Factor Authentication enabled, it means that you are using “basic Authentication,” which is supported by this method directly.
When Powershell comes to the rescue, we need to validate the tenant’s and the user’s policy to use SMTP by connecting to Exchange Online Module as a Global Administrator.
How to connect to Exchange Online Using Powershell
Here are the steps
- Open Powershell as an Administrator and set the execution policy for clouds CMDLets
Once you have that, Powershell comes with several Execution Policies, and as a summary, it’s the ability that a user has to run powershell scripts or commands. If you want to read more, please go here; if you don’t, then you need to run the following to use “Remote Signed” commands that haven’t been modified by any 3rd party but Microsoft Itself.
- Set-ExecutionPolicy RemoteSigned and accept the change.
Note: Now that you are running powershell as Administrator and it’s the first time you will use Powershell to connect to your environment in the cloud, we need to install the module for Exchange Online, to be able to connect, this is only required to be done once in time to time (to keep the version’s updated).
- Install-Module ExchangeOnlineManagement -AllowClobber -Force
Once you’ve finished setting up the Execution Policy and you have installed the ExchangeOnlineManagement Module, you are ready to connect to Exchange Online with the Global Admin Credentials, like this:
In my own tenant, I have MFA Enabled; if you don’t have it will require just a username and password; if you do have it, it will require a username, password, and the token (code, SMS, or app acceptance).
- Now you are ready to start digging into the problem, let’s 1st run a command on powershell to see the status of the “TENANT’S policy” for SMTP.
Get-Transportconfig | Select *smtp*
Note: On Powershell, all the lines you ran are based on a verb-Predicate something like Get-Date and are called “Cmdlets or CommandLets.”
The command's output should be something like this, if you get any red lines with errors, make sure you didn’t mistype anything. The important property is called “SmtpClientAuthenticationDisabled.” If this property is true, it means that the Smtp Client Authentication is disabled TENANT WIDE.
Now let’s assume that the person that would like to send emails is called email@example.com, and when we query that exact property but at the user’s level, we got this:
So one of the possible errors is basically that your Tenant’s level is set to True while the user’s level is set to “none/null.” This means that your user will take the global configured policy, SmtpClientAuthenticationDisabled=True, for all the mailboxes.
Let’s correct this possible error by running:
Set-CASMailbox -Identity firstname.lastname@example.org -SmtpClientAuthenticationDisabled:$false
And validating right after that SmtpClientAuthenticationDisabled:$false means that you actually use the SmtpclientAuthentication, so you have enabled the SMTP authentication. For this particular property, if the Tenant’s level says “True” but the user’s level says “False,” the user’s level has a higher priority. For this reason, the User’s level dominates the policy, enabling the user’s mailbox to send emails using SMTP Authentication.
Note: Exchange changes can take from 10 minutes up to 72 hours in taking place effectively. If you are still receiving errors after this, there is an Azure AD Policy that is applied by default to every new tenant out there that is called “Security Defaults”; if you wanna learn more, please go here. In short, it will request to everybody to log into Azure AD to enable MFA from the Azure Perspective. Still, this perspective is independent of the MFA talking to O365, which is configured in the admin portal/Users/Active Users/ configure MFA as shown in the next picture.
I have tenant’s policy to true and user’s policy to false, but it’s still not working…
So you are in this situation when you go to azure and check the sign-ins details of the error:
In that case, you will need to decide on one of the next 2 options:
Option 1: if it’s enabled, Disable the “Security Defaults” policy on Azure AD because that policy denies “Legacy Authentication,” which is translated as “Basic Authentication,” so you won’t be able to authenticate to anything on O365 using just username and password until you disable this policy (https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#blocking-legacy-authentication)
Option 2: Go into https://portal.azure.com click in “More Services,” and then click on “Azure Active Directory”, you’d need to go for the Sign-in Page and find out why for the denial, and since option 1 must be disabled to create a new conditional access policy, then: https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-access
Note: Security Defaults and Conditional Access don’t get along with each other, so you need to select the best path for you, either enabling a policy that allows users to send mailbox or disabled security default and left that to the conditional access or create your own conditional access.
To be continued in part 2 —
Part 2 is already finished here: https://j0rt3g4.medium.com/how-to-send-emails-using-office-365-smtp-auth-help-part-2-smtp-auth-with-mfa-opc2-52ed3ca4fa5e