Three weeks ago, we took a call from a prospect whose accountancy practice had ground to a halt overnight. Invoices weren’t sending, scan-to-email had stopped working, and their practice management system was throwing authentication errors. The culprit? Microsoft had finally disabled Basic SMTP authentication on their tenant, and their previous IT provider hadn’t prepared them.
Within 48 hours, we’d assessed their environment, reconfigured their MFPs, updated their practice management system, and had them operational again. But it shouldn’t have been an emergency in the first place.
Despite Microsoft announcing this change back in 2021 and progressively enforcing it since October 2022, we’re still seeing businesses caught off guard. The problem isn’t lack of warning—it’s that most organisations don’t realise just how many systems in their environment quietly depend on outdated SMTP authentication behind the scenes.
If you’re running Microsoft 365 and you haven’t audited your SMTP dependencies, you’re almost certainly exposed. Here’s what you need to know.
What’s Actually Changing (and Why It Matters)
For decades, sending email from devices and applications meant using SMTP with a simple username and password. It worked. It was easy to configure. And it’s now one of the biggest security liabilities in business IT.
Basic SMTP authentication is a prime target for:
- Credential stuffing
- Password spraying
- Brute-force attacks
- Compromised account abuse for spam and phishing
Once an attacker has your credentials, they can relay spam, launch phishing campaigns, or exfiltrate data—all through your own email infrastructure.
Microsoft’s response has been to phase out Basic Auth entirely in favour of Modern Authentication (OAuth 2.0). This approach ties email sending to identity verification, conditional access policies, and multi-factor authentication. It’s significantly more secure—but it requires every device and application in your environment to support it.
And that’s where the problems start.
Who Gets Caught Out
Businesses don’t get caught out because they’re careless—they get caught out because legacy dependencies hide in plain sight.
Most organisations have already upgraded their laptops, enforced MFA, and secured their user accounts. But they’ve forgotten about:
- Multifunction printers installed five years ago that scan invoices to email
- Practice management systems that send automated client reminders
- ERP platforms that email reports to directors every morning
- Security systems that alert to break-ins or fire alarms
- Backup solutions that send failure notifications
These systems were configured once, tucked away in a server room or mounted on a wall, and forgotten. Until they stop working.
The frustrating part is that many newer devices do support OAuth—but nobody’s updated the firmware or reconfigured them. Others are simply too old and need replacing. The challenge is knowing which is which before the failures start.
The Risk of Doing Nothing
We’ve seen the pattern: SMTP failures don’t arrive as a single catastrophic event. They appear intermittently—an email here, a scan failure there—before becoming widespread. By the time businesses realise what’s happening, they’re already dealing with workflow disruption, frustrated staff, and in some cases, compliance issues.
For professional services firms—the accountancy practices, legal firms, and consultancies we work with—the stakes are particularly high. Email isn’t just communication; it’s how you deliver client work, send contracts, and maintain audit trails. When scanning stops working during month-end or year-end, it’s not just inconvenient—it’s business-critical.
The Path Forward: Three Practical Options
Microsoft’s preferred direction is clear, but the implementation depends on your specific environment. Here are the three approaches we’re using with clients:
1. Enable OAuth on Existing Devices
Many Toshiba, Konica Minolta, and HP devices from the last 4-5 years support OAuth authentication—they just need firmware updates and reconfiguration. This is usually the quickest win for businesses with relatively modern equipment.
2. Configure Microsoft 365 SMTP Relay
For devices that can’t support OAuth but are still functional, SMTP relay provides a secure alternative. It authenticates using your static IP address rather than stored credentials, reducing attack surface without requiring device replacement.
3. Move Beyond Email Entirely
For many workflows, scan-to-email is legacy thinking. Modern alternatives—scanning directly to SharePoint, saving to OneDrive, or using QR code destinations—are more secure, easier to audit, and don’t rely on SMTP at all. We’re increasingly recommending this approach for new deployments.
The right answer varies by business, but delaying the decision isn’t an option.
How We’re Helping Clients Navigate This
At Sentinel, our approach combines technical assessment with business pragmatism. We start by identifying every system in your environment that still uses Basic SMTP authentication—not just the obvious ones, but the edge cases: that alerting system nobody remembers configuring, the legacy application that “just works,” the printer in the back office that only gets used once a month.
From there, we build a transition plan that prioritises business impact. Client-facing workflows get fixed first. Devices that can be updated quickly are handled early. Systems that need replacement are scheduled around budget cycles and operational downtimes.
For our professional services clients, we typically align this work with existing projects—office moves, server refreshes, or cybersecurity upgrades—so you’re not dealing with change for change’s sake.
And because we work across both IT infrastructure (through Sentinel) and print technology (through our sister company Collate Business Systems), we can handle the entire transition without you needing to coordinate multiple suppliers.
What You Should Do Next
If you’re running Microsoft 365 and you haven’t yet addressed SMTP authentication, the time to act is now—not when systems start failing.
Here’s what we recommend:
- Audit your environment to identify every device and application using SMTP
- Check firmware and software versions to determine what supports OAuth
- Prioritise client-facing workflows for early remediation
- Plan device replacements for anything that can’t be upgraded
- Test thoroughly before Microsoft enforces the change on your tenant
We can run this assessment for you in under a week, typically with minimal disruption to your operations.
If you’d like a frank conversation about where your business stands and what needs to happen, get in touch. We’re already managing this transition for accountancy practices, legal firms, and professional services businesses across the South, and we’re happy to do the same for you.
