Microsoft is deprecating SMTP AUTH for Microsoft 365-hosted SMTP servers, effective March 2026, as part of a broader initiative to phase out legacy authentication protocols that pose significant security risks. SMTP AUTH relies on basic authentication, which transmits usernames and passwords in a way that is more susceptible to:
- Credential theft
- Phishing attacks
- Brute-force login attempts
These vulnerabilities make it difficult to enforce modern security practices such as multi-factor authentication (MFA), conditional access policies, and granular permission controls.
To address these issues, Microsoft is encouraging organizations to adopt OAuth 2.0-based authentication and the Microsoft Graph API. This modern interface provides secure, scalable, and future-ready access to Microsoft 365 services, including email.
By transitioning to Microsoft Graph API, your organization will be better protected against evolving cybersecurity threats and positioned for long-term compatibility with Microsoft 365 services.
To ensure uninterrupted email delivery, we have transitioned the Distribution Service to use Microsoft Graph API for sending emails. Enabled with Web Integration Settings, the service adds MS Graph integration to send notifications directly using Microsoft’s Graph API. The changes are available across OnBase 25, OnBase 24 and OnBase 23.
If your organization currently uses Microsoft 365 (Exchange Online) as the SMTP server for email notifications through our Distribution Service, this change will impact your configuration.
To know how to configure a Microsoft mailbox with Document Distribution using MSGraph, please check out the applicable support sections-
For OnBase 25: https://support.hyland.com/r/OnBase/Document-Distribution/Foundation-25.1/Document-Distribution/Conf...
For OnBase 24: https://support.hyland.com/r/OnBase/Document-Distribution/Foundation-24.1/Document-Distribution/Conf...
For OnBase 23: https://support.hyland.com/r/OnBase/Document-Distribution/Foundation-23.1/Document-Distribution/Conf...
Note: If your organization uses an on-premises or third-party SMTP server, this change does not currently affect you.
REFERENCES
Microsoft: Deprecation of Basic Authentication in Exchange Online
Exchange Online to retire Basic auth for Client Submission (SMTP AUTH) | Microsoft Community Hub
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basi...
Microsoft Graph API Overview
https://learn.microsoft.com/en-us/graph/overview
Microsoft: Security Defaults and Modern Authentication
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-...
Register an Application with the Microsoft Identity Platform
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Send Mail using Microsoft Graph API
https://learn.microsoft.com/en-us/graph/api/user-sendmail
Manage permissions for recipients in Exchange Online
https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-permissions-for-reci...
