SMTP troubleshoot
Microsoft Office 365 SMTP Authentication Errors - Troubleshooting Guide
Quick Reference: Common Error Messages
Error 1:
535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant.
Fix: Enable SMTP AUTH at tenant level (Exchange Admin Center)
Error 2:
535 5.7.139 Authentication unsuccessful, user is locked by your organization's security defaults policy.
Fix: Disable Security Defaults in Azure Portal OR exclude user from Conditional Access policies
Error 3:
535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully.
Fix: Enable SMTP AUTH for the specific mailbox
Error 4:
5.7.57 Client not authenticated to send mail.
Fix: Check all three layers (tenant, security policy, mailbox) + verify no MFA app is configured
Step-by-Step Solution for Microsoft Office 365 SMTP (Tested & Working)
Email Authentication SMTP to Microsoft Office 365
IMPORTANT: Before starting, make sure the account you are adding for SMTP does not have Microsoft Authenticator app setup.
Step 1: Enable SMTP AUTH at Tenant Level (Exchange Admin Center)
- Go to https://admin.exchange.microsoft.com/
- Navigate to Settings → Mail flow
- Verify settings:
- ✅ UNCHECKED: "Turn off SMTP AUTH protocol for your organization"
- ✅ CHECKED: "Turn on use of legacy TLS clients"
- Click Save
Wait 15 minutes and test. If it works, you're done! Otherwise, continue...
Step 2: Enable SMTP for Specific User (Microsoft 365 Admin Center)
- Go to https://admin.cloud.microsoft (or admin.microsoft.com)
- Select Active users
- Click on your SMTP user account
- Click Mail tab
- Click Email apps
- Click Manage email apps
- Ensure Authenticated SMTP is CHECKED
- Click Save
Wait a few minutes and test again. If still not working, continue...
Step 3: Disable Security Defaults (Azure Portal)
- Go to https://portal.azure.com/
- Navigate to Microsoft Entra ID (Azure Active Directory)
- Go to Properties (under Manage)
- Click Manage Security defaults
- Set Security defaults to Disabled
- Click Save
Wait 15 minutes and test again. If still not working, continue...
Step 4: Exclude User from Conditional Access Policies (Final Step)
- Go to https://portal.azure.com/
- Navigate to Microsoft Entra ID → Security → Conditional Access
- Go to Policy snapshots (or Policies)
You will see 4 default Microsoft-managed policies:
- Block legacy authentication
- Multifactor authentication for Azure Management
- Multifactor authentication for admins
- Multifactor authentication for all users
- For each of the 4 policies, do the following:
- Click on the policy name
- Click Edit
- Go to Users section
- Under Exclude, add your SMTP user (e.g., noreply@bookyourpto.com)
- Click Save
- Repeat for all 4 policies
Wait 15 minutes and test. All errors should be resolved!
Important Notes
VERIFIED: These instructions were tested and confirmed working NOTE: No app passwords required for this configuration WARNING: Excluding users from Conditional Access policies reduces security for those accounts. Only use for service accounts with strong passwords. WARNING: Do not configure Microsoft Authenticator on the SMTP service account
Error #1: SMTP Authentication Disabled for Tenant
Timestamp: Initial error
Error Message:
535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant.
Visit https://aka.ms/smtp_auth_disabled for more information.
What it means:
- SMTP AUTH protocol was completely disabled at the Microsoft 365 tenant/organization level
- No mailboxes in the organization could use SMTP authentication
Solution Applied:
- Went to Exchange Admin Center → Settings → Mail flow
- Unchecked "Turn off SMTP AUTH protocol for your organization" (confusing wording - unchecking it enables SMTP AUTH)
Root Cause: Microsoft disables SMTP AUTH by default for security reasons in newer tenants
Error #2: Security Defaults Policy Blocking User
Timestamp: After enabling tenant-wide SMTP AUTH
Error Message:
535 5.7.139 Authentication unsuccessful, user is locked by your organization's security defaults policy.
Contact your administrator.
What it means:
- Microsoft 365 Security Defaults were enabled in Azure AD
- Security Defaults block legacy/basic authentication methods (including SMTP AUTH)
- This is a tenant-wide security policy that overrides SMTP AUTH settings
Solution Applied:
- Went to Azure Portal → Microsoft Entra ID (Azure AD) → Properties
- Clicked "Manage Security defaults"
- Changed Security defaults from "Enabled" to "Disabled"
Root Cause: Security Defaults is Microsoft's baseline security policy that blocks basic authentication to prevent credential compromise
Security Note: After disabling Security Defaults, you should implement:
- Multi-factor authentication (MFA) for admin accounts
- Conditional Access policies
- Regular monitoring of sign-in logs
Error #3: Per-Mailbox Authentication Criteria Not Met
Timestamp: After disabling Security Defaults
Error Message:
535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully.
Contact your administrator.
What it means:
- Tenant-wide SMTP AUTH is enabled ✓
- Security Defaults are disabled ✓
- BUT: The specific mailbox (noreply@bookyourpto.com) still had SMTP AUTH disabled at the mailbox level
- OR: Incorrect credentials/password
- OR: Mailbox lacks proper licensing
- OR: MFA is enabled and requires an app password
Solution Applied: Via Microsoft 365 Admin Center:
- Users → Active users → noreply@bookyourpto.com
- Mail tab → Manage email apps
- Enable "Authenticated SMTP" toggle
Root Cause: Even when SMTP AUTH is enabled tenant-wide, individual mailboxes can have it disabled. Microsoft implements this as a multi-layered security approach.
Additional Issues to Check (Not encountered but common)
Issue: Shared Mailbox Without License
Symptom: SMTP AUTH fails even when all settings are correct Cause: Shared mailboxes may not support SMTP AUTH without a license Solution: Either assign a license to the shared mailbox OR convert to user mailbox
Issue: Multi-Factor Authentication (MFA) Enabled
Symptom: Regular password fails authentication Cause: SMTP doesn't support interactive MFA prompts Solution: Create an App Password:
- Sign in to https://mysignins.microsoft.com/security-info
- Add sign-in method → App password
- Use the generated app password instead of regular password
Issue: DNS/Email Authentication Missing
Symptom: Emails marked as spam or rejected by recipients Cause: Missing SPF, DKIM, or DMARC records Solution: Add proper DNS records:
- SPF:
v=spf1 include:spf.protection.outlook.com -all - DKIM: Enable in Microsoft 365 and add CNAME records
- DMARC: Add TXT record
v=DMARC1; p=quarantine; rua=mailto:dmarc@domain.com
Summary: Microsoft Office 365 Three-Layer Authentication Model
Microsoft 365 SMTP authentication has THREE layers that must ALL be enabled:
- Tenant Level (Organization-wide)
- Exchange Admin Center → Mail flow settings
- Must uncheck "Turn off SMTP AUTH protocol"
- Security Policy Level (Azure AD)
- Security Defaults must be disabled OR
- Conditional Access policies must allow basic auth for SMTP
- Mailbox Level (Individual user/mailbox)
- Each mailbox must have SMTP AUTH enabled
- Can be set via Admin Center
- Requires proper licensing for non-shared mailboxes
All three layers must be configured correctly for SMTP to work!
Best Practices Going Forward
For Production Use:
- Use OAuth2 instead of basic auth (more secure, Microsoft's recommended approach)
- Implement Conditional Access policies instead of completely disabling Security Defaults
- Use App Passwords if MFA is required
- Monitor sign-in logs regularly for suspicious activity
- Enable SMTP only for specific mailboxes that need it, not tenant-wide
OAuth2 authentication approach:
- Works with Security Defaults enabled
- Supports MFA natively
- More secure (no password storage)
- Microsoft's recommended method
- Future-proof (basic auth being phased out)