Introduction #
The SMTP protocol is prone to brute force password spray attacks. Disabling SMTP authentication reduces a tenant’s attack surface, making it more secure.
Before disabling SMTP authentication you must take into account any 3rd party applications or devices (such as MFC) using SMTP to send emails through Exchange Online.
This setting should be used in conjunction with Disable Legacy Email Protocols (POP, IMAP) – Default Setting for New Mailboxes
License Requirement #
Any Exchange Online plan
User Impact #
Medium
Disabling SMTP protocol tenant wide will stop any user, device or 3rd party application from authenticating via SMTP to send emails through Exchange Online.
Note: This setting overrides the mailbox setting for SMTP authentication. If the mailbox has SMTP Authentication enabled and you disable SMTP Authentication at the tenant level, it will no longer work.
Admin Portal Reference #
This setting is switched on via PowerShell. The following cmdlets are run on the tenants Exchange Online.
Set-TransportConfig -SmtpClientAuthenticationDisabled $true
If Action is set to Notify #
We report the setting as compliant if Set-TransportConfig -SmtpClientAuthenticationDisabled is set to $true.
We report the setting as non-compliant if Set-TransportConfig -SmtpClientAuthenticationDisabled is set to $false.
If Action is set to Enforce #
We report the setting as compliant if Set-TransportConfig -SmtpClientAuthenticationDisabled is set to $true.
We report the setting as compliant-fixed if Set-TransportConfig -SmtpClientAuthenticationDisabled was set to $false and MSPMagic change it to $true.