Deprecation of SMTP Basic Auth in Exchange online
Microsoft is now getting serious and plans to disable SMTP Basic Authentication in Exchange online in the second half of 2021. This should not bring any changes for users. In the meantime, the warnings in the Microsoft 365 Message Center are becoming increasingly urgent, e.g., MC237741 or MC204828.
However, IT also likes to use automations that send emails automatically and the easiest way was to use an SMTP server. With Office 365 and Exchange online, some of these SMTP clients are now configured to the cloud. Therefore, action is needed.
Microsoft says to this: “just use OAUTH. Oh well, so please deal with the protocol, implement it, and everything is ok again.”
Endpoints and other SMTP clients are a different story. This is not helpful and a solution for this is complicated. If you can use an internal SMTP relay, you can stop reading here.
From time to time, I like to use PowerShell to stuff in IT manually. Here I stumbled over the problem with sending e-mails.
And PowerShell is available on every system, even with a development environment. It can’t be compared to Visual Studio Code or similar, but it’s enough for me. Here comes a point to bear that will be important later. The existing PowerShell version is always 5.1. This is old, but you don’t have to install anything or even convert existing scripts to PowerShell 7. The existing scripts are often old, evolutionary developed, and no one knows exactly what they do in detail. So please stay on PowerShell 5.1.
So, I “binged” what you can do. The most prominent search hits went in a direction that I did not like. The developer should not use Microsoft Exchange anymore, but look for a completely different external provider and just create a free account there. The mails then go outside the organization. To be honest, I don’t even want to know how many developers have already gone this way.
Until now, the PowerShell function Send-MailMessage was often used. This addresses the system APIs. After a bit of research, it turns out that Microsoft no longer recommends both the function and the APIs.
But the developer could use the Microsoft Authentication Library (MSAL) and something called MailKit, which is offered on NuGet. To cut a long story short: after three days of research, I was not able to get MailKit to work with PowerShell 5.1. However, it’s me and not MailKit.
At least in my research I found a handy function from PowerShell Galary MSAL.PS. With the Get-MSALToken function and some trial and error, I thus had the OAUTH part solved elegantly and as recommended. The app registration considerations, however, were a bit more extensive.
Many existing solutions, rely on a registered app and use the “client secret” so the app has the rights to send SMTP email. With that, you would have to register for a lot of apps for the different Skrips. A “Public client/native” app registration is easier. Only one app needs to be registered and the previous user credentials can continue to be used along with the “client ID”.
Now I just must get my nice new OAUTH token to the SMTP server. And …., I was counted out. So, in the end I had to create my own “handcrafted” SMTP client in PowerShell.
The good news is for everyone else the problem is solvable, the PowerShell and a tutorial for the
that can do everything. This can be found on GitHub. With this you can’t replace Send-MailMessage 1:1, but with little effort you can make existing PowerShell 5.1 scripts send email again.
A documentation for the setup can be found there as well.
The syntax is like the Send-MailMessage function. Additionally, you can easily embed images or other files into HTML emails.
If someone knows a simpler, better, or more elegant solution, I would be happy to hear about it.
In the meantime, something has happened at Send-O365MailMessage function:
The function has the option to send with Microsoft GraphAPI in addition to sending with SMTP OAUTH. For this, another / further API permission of the registered app is needed. The default way is now to send email with GraphAPI. With the switch -SendWithSMTP you can switch to SMTP with OAUTH. The other syntax is the same.