Microsoft Office 365 SMTP Authentication Errors - Troubleshooting Guide

Quick Reference: Common Error Messages

Error 1:

535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant.

Fix: Enable SMTP AUTH at tenant level (Exchange Admin Center)

Error 2:

535 5.7.139 Authentication unsuccessful, user is locked by your organization's security defaults policy.

Fix: Disable Security Defaults in Azure Portal OR exclude user from Conditional Access policies

Error 3:

535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully.

Fix: Enable SMTP AUTH for the specific mailbox

Error 4:

5.7.57 Client not authenticated to send mail.

Fix: Check all three layers (tenant, security policy, mailbox) + verify no MFA app is configured

Step-by-Step Solution for Microsoft Office 365 SMTP (Tested & Working)

Email Authentication SMTP to Microsoft Office 365

IMPORTANT: Before starting, make sure the account you are adding for SMTP does not have Microsoft Authenticator app setup.

Step 1: Enable SMTP AUTH at Tenant Level (Exchange Admin Center)

1. Go to https://admin.exchange.microsoft.com/
2. Navigate to Settings → Mail flow
3. Verify settings:
   • ✅ UNCHECKED: "Turn off SMTP AUTH protocol for your organization"
   • ✅ CHECKED: "Turn on use of legacy TLS clients"
4. Click Save

Wait 15 minutes and test. If it works, you're done! Otherwise, continue...

Step 2: Enable SMTP for Specific User (Microsoft 365 Admin Center)

1. Go to https://admin.cloud.microsoft (or admin.microsoft.com)
2. Select Active users
3. Click on your SMTP user account
4. Click Mail tab
5. Click Email apps
6. Click Manage email apps
7. Ensure Authenticated SMTP is CHECKED
8. Click Save

Wait a few minutes and test again. If still not working, continue...

Step 3: Disable Security Defaults (Azure Portal)

1. Go to https://portal.azure.com/
2. Navigate to Microsoft Entra ID (Azure Active Directory)
3. Go to Properties (under Manage)
4. Click Manage Security defaults
5. Set Security defaults to Disabled
6. Click Save

Wait 15 minutes and test again. If still not working, continue...

Step 4: Exclude User from Conditional Access Policies (Final Step)

1. Go to https://portal.azure.com/
2. Navigate to Microsoft Entra ID → Security → Conditional Access
3. Go to Policy snapshots (or Policies)

You will see 4 default Microsoft-managed policies:

• Block legacy authentication
• Multifactor authentication for Azure Management
• Multifactor authentication for admins
• Multifactor authentication for all users

4. For each of the 4 policies, do the following:
   • Click on the policy name
   • Click Edit
   • Go to Users section
   • Under Exclude, add your SMTP user (e.g., noreply@bookyourpto.com)
   • Click Save
5. Repeat for all 4 policies

Wait 15 minutes and test. All errors should be resolved!

Important Notes

VERIFIED: These instructions were tested and confirmed working NOTE: No app passwords required for this configuration WARNING: Excluding users from Conditional Access policies reduces security for those accounts. Only use for service accounts with strong passwords. WARNING: Do not configure Microsoft Authenticator on the SMTP service account

Error #1: SMTP Authentication Disabled for Tenant

Timestamp: Initial error

Error Message:

535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. 
Visit https://aka.ms/smtp_auth_disabled for more information.

What it means:

• SMTP AUTH protocol was completely disabled at the Microsoft 365 tenant/organization level
• No mailboxes in the organization could use SMTP authentication

Solution Applied:

• Went to Exchange Admin Center → Settings → Mail flow
• Unchecked "Turn off SMTP AUTH protocol for your organization" (confusing wording - unchecking it enables SMTP AUTH)

Root Cause: Microsoft disables SMTP AUTH by default for security reasons in newer tenants

Error #2: Security Defaults Policy Blocking User

Timestamp: After enabling tenant-wide SMTP AUTH

Error Message:

535 5.7.139 Authentication unsuccessful, user is locked by your organization's security defaults policy. 
Contact your administrator.

What it means:

• Microsoft 365 Security Defaults were enabled in Azure AD
• Security Defaults block legacy/basic authentication methods (including SMTP AUTH)
• This is a tenant-wide security policy that overrides SMTP AUTH settings

Solution Applied:

• Went to Azure Portal → Microsoft Entra ID (Azure AD) → Properties
• Clicked "Manage Security defaults"
• Changed Security defaults from "Enabled" to "Disabled"

Root Cause: Security Defaults is Microsoft's baseline security policy that blocks basic authentication to prevent credential compromise

Security Note: After disabling Security Defaults, you should implement:

• Multi-factor authentication (MFA) for admin accounts
• Conditional Access policies
• Regular monitoring of sign-in logs

Error #3: Per-Mailbox Authentication Criteria Not Met

Timestamp: After disabling Security Defaults

Error Message:

535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. 
Contact your administrator.

What it means:

• Tenant-wide SMTP AUTH is enabled ✓
• Security Defaults are disabled ✓
• BUT: The specific mailbox (noreply@bookyourpto.com) still had SMTP AUTH disabled at the mailbox level
• OR: Incorrect credentials/password
• OR: Mailbox lacks proper licensing
• OR: MFA is enabled and requires an app password

Solution Applied: Via Microsoft 365 Admin Center:

• Users → Active users → noreply@bookyourpto.com
• Mail tab → Manage email apps
• Enable "Authenticated SMTP" toggle

Root Cause: Even when SMTP AUTH is enabled tenant-wide, individual mailboxes can have it disabled. Microsoft implements this as a multi-layered security approach.

Additional Issues to Check (Not encountered but common)

Issue: Shared Mailbox Without License

Symptom: SMTP AUTH fails even when all settings are correct Cause: Shared mailboxes may not support SMTP AUTH without a license Solution: Either assign a license to the shared mailbox OR convert to user mailbox

Issue: Multi-Factor Authentication (MFA) Enabled

Symptom: Regular password fails authentication Cause: SMTP doesn't support interactive MFA prompts Solution: Create an App Password:

1. Sign in to https://mysignins.microsoft.com/security-info
2. Add sign-in method → App password
3. Use the generated app password instead of regular password

Issue: DNS/Email Authentication Missing

Symptom: Emails marked as spam or rejected by recipients Cause: Missing SPF, DKIM, or DMARC records Solution: Add proper DNS records:

• SPF: v=spf1 include:spf.protection.outlook.com -all
• DKIM: Enable in Microsoft 365 and add CNAME records
• DMARC: Add TXT record v=DMARC1; p=quarantine; rua=mailto:dmarc@domain.com

Summary: Microsoft Office 365 Three-Layer Authentication Model

Microsoft 365 SMTP authentication has THREE layers that must ALL be enabled:

1. Tenant Level (Organization-wide)
   • Exchange Admin Center → Mail flow settings
   • Must uncheck "Turn off SMTP AUTH protocol"
2. Security Policy Level (Azure AD)
   • Security Defaults must be disabled OR
   • Conditional Access policies must allow basic auth for SMTP
3. Mailbox Level (Individual user/mailbox)
   • Each mailbox must have SMTP AUTH enabled
   • Can be set via Admin Center
   • Requires proper licensing for non-shared mailboxes

All three layers must be configured correctly for SMTP to work!

Best Practices Going Forward

For Production Use:

1. Use OAuth2 instead of basic auth (more secure, Microsoft's recommended approach)
2. Implement Conditional Access policies instead of completely disabling Security Defaults
3. Use App Passwords if MFA is required
4. Monitor sign-in logs regularly for suspicious activity
5. Enable SMTP only for specific mailboxes that need it, not tenant-wide

OAuth2 authentication approach:

• Works with Security Defaults enabled
• Supports MFA natively
• More secure (no password storage)
• Microsoft's recommended method
• Future-proof (basic auth being phased out)