Microsoft 365 / Outlook SMTP test — ports, modern auth, and app passwords

Microsoft 365 (formerly Office 365) and Outlook.com share the same SMTP submission endpoint: smtp.office365.com on port 587 with STARTTLS. The SMTP username is your full email address, and the password depends on your tenant's authentication policy — either an app password or an OAuth2 token.

Recommended settings

• Host: smtp.office365.com
• Port: 587 (STARTTLS only — 465 and 25 are not supported for client submission)
• Username: your full email address (e.g. [email protected] or [email protected])
• Password: app password (if basic auth is enabled) or OAuth2 token
• Auth method: Auto or LOGIN
• From address: must match the authenticated mailbox (or a configured Send As alias)

App passwords vs OAuth2

Microsoft is deprecating basic authentication (username + password) for SMTP AUTH across all Microsoft 365 tenants. The timeline:

• Basic auth with SMTP AUTH: still available per-mailbox if the admin has not disabled it, but being phased out.
• App passwords: available when the account has Multi-Factor Authentication (MFA) enabled and the admin has not blocked app password creation.
• OAuth2 (XOAUTH2): the modern replacement. Requires registering an application in Azure AD and obtaining an access token. SMTP Tester does not currently support OAuth2, but you can test basic auth and app passwords.

To check if basic auth is allowed for your mailbox, an admin can run:

Get-CASMailbox -Identity [email protected] | Select SmtpClientAuthenticationDisabled
        

If the value is True, SMTP AUTH with username/password is blocked for that mailbox.

Generating an app password

If MFA is enabled on the account and basic auth is allowed:

1. Go to mysignins.microsoft.com/security-info.
2. Click "Add sign-in method" → App password.
3. Name it (e.g. "SMTP Tester") and click Next.
4. Copy the generated password immediately — it is shown only once.
5. Use this as the SMTP password.

If you do not see the "App password" option, your admin has disabled app password creation in the Azure AD tenant settings.

Testing with SMTP Tester

1. Host: smtp.office365.com, port 587, security STARTTLS.
2. Username: your full Microsoft 365 email address.
3. Password: your app password (or account password if basic auth is still enabled).
4. From: the same email address (must match the authenticated mailbox).
5. To: any recipient.
6. Click Run. A 235 2.7.0 Authentication successful confirms login.

A 250 2.0.0 OK after DATA means Microsoft accepted the message for delivery.

Common errors

535 5.7.139 "Authentication unsuccessful, SmtpClientAuthentication is disabled"

SMTP AUTH has been disabled for this mailbox by an admin policy. The connection, TLS, and credentials may all be correct — but the tenant blocks password-based SMTP login.

Fix options:

• Ask the admin to enable SMTP AUTH for the specific mailbox (Set-CASMailbox -Identity [email protected] -SmtpClientAuthenticationDisabled $false).
• Switch to OAuth2 authentication (requires application registration in Azure AD).
• Use a different sending method (Microsoft Graph API or a third-party transactional provider).

535 5.7.3 "Authentication unsuccessful"

Credentials were rejected. Causes:

• Wrong password. If MFA is enabled, use an app password — not your normal login.
• The account is locked, expired, or requires a password change.
• Security defaults or Conditional Access policies block basic auth entirely.
• The username is wrong — must be the full email address, not just the local part.

550 5.7.60 "SMTP; Client does not have permissions to send as this sender"

Authentication succeeded, but the From address does not match the authenticated mailbox and is not configured as a Send As alias. Microsoft 365 enforces strict sender identity.

Fix: set the From address to the same email you authenticated with, or configure Send As permission for the desired address in Exchange admin center.

Connection timeout

smtp.office365.com only accepts connections on port 587. Port 25 is for inbound relay (MX delivery to Exchange Online), not outbound submission. Port 465 is not supported. If 587 times out, check your network's outbound firewall rules.

Shared mailboxes and service accounts

Shared mailboxes in Microsoft 365 do not have passwords by default. To send via SMTP from a shared mailbox:

1. Assign a password to the shared mailbox (convert to a regular mailbox, or set a password via PowerShell).
2. Enable SMTP AUTH for that mailbox.
3. Authenticate as the shared mailbox directly.

Alternatively, authenticate as a licensed user and set the From address to the shared mailbox — if Send As permission is granted.

For automated systems (applications, scripts, printers), Microsoft recommends either Direct Send (port 25 to your MX, no auth, internal recipients only) or the Microsoft Graph sendMail API with application permissions. SMTP AUTH remains an option for devices that cannot use modern auth (older printers, scanners, LOB applications).

Microsoft 365 sending limits

• 10,000 recipients per day per mailbox.
• 30 messages per minute.
• Maximum 25 MB per message (including Base64 overhead for attachments).

Exceeding these limits triggers throttling — SMTP returns 452 4.5.3 Too many recipients or 421 4.7.0 Temporary server error.

Security notes

• Always use port 587 with STARTTLS. Never send credentials over an unencrypted connection.
• App passwords bypass MFA — treat them as sensitive secrets. Store in environment variables or a secrets manager.
• SMTP Tester redacts all credentials from the live transcript.
• Monitor your Microsoft 365 sign-in logs for unexpected SMTP AUTH activity — it can indicate credential compromise.
• Consider moving to OAuth2 (XOAUTH2) for long-term compatibility as Microsoft continues deprecating basic auth.