Microsoft (and others) want to change how you sign in to desktop email programs.
I’m not sure I can get you what you want only for outgoing (SMTP) email. However, we can certainly set up both incoming and outgoing email to use OAuth2, the so-called “modern authentication method”.
I’ll show you how to do that and explain why it’s both modern and necessary.
Modern authentication: how and why
To accommodate Microsoft’s “Modern Authentication Methods” in many email programs, you need to set up the entire email account, including both incoming and outgoing mail, using OAuth2. During setup, the program hands off authentication to Microsoft, enabling enhanced security that includes two-factor, passwordless authentication, and more.
I’ll be using Thunderbird as my example throughout this article, but the concepts apply to most email programs capable of supporting OAuth2 (Open Authentication version 2, a new protocol for signing in to online services).
Outgoing Setup
As I alluded to above, I’m not aware of a way to set up only outgoing mail to use OAuth2. The only option seems to be to use the traditional username and password.
As you point out, there’s nothing “modern” about the connection and security selections; OAUth2 isn’t on the list.
What we need to do is set up the account from scratch to use OAuth2 for everything, including incoming email.
Account Setup
When you set up a new email account in Thunderbird, magic kinda happens. For example, I’m about to add a Hotmail account. Note that I haven’t specified a password (though I could; it doesn’t matter).
As soon as I hit “Continue”, a new and different dialog is presented.
Here’s what’s different: this is not Thunderbird. Thunderbird has handed off the process of authentication to the mail service handling the account; in this case, a webpage presented directly by Microsoft’s servers. Once you fulfill the request (password, 2FA, or something else), you’ll be asked to confirm some permissions.
You’re then returned to where you started.
Click on Done, and the account is configured…
… and so is your outgoing mail.
That’s it. You’re done.
Maybe someday, email programs will allow you to configure outgoing credentials using OAuth2 separately, but for now, this is it.
Why all the hoopla?
In a nutshell, increased security.
OAuth2 enables your email account to use:
- Two-factor authentication (without any “app password” workaround)
- Passwordless authentication.
- Passkey authentication.
- More
Since the authentication is not being performed by Thunderbird, email services can use whatever techniques they want, now and in the future, to confirm you are who you say you are.
The process for Thunderbird was:
- Ask the email provider (in this case, Microsoft) to authenticate you using your email address.
- Once you’re authenticated, Thunderbird receives and saves a secure token.
- It then uses that token when connecting to the email service in the future.
With the rise of passwordless, two-factor, and other alternative authentication mechanisms, OAuth2 removes the burden of understanding from the email program and places it in the hands of the online service using or requiring it.
And Microsoft thinks that’s more “modern” than the old username/password system.
Microsoft and other email providers are rolling out modern authentication now and will eventually make it a requirement. When that happens, you’ll need to re-setup your email account in your desktop email program if it’s still using password-based “legacy” authentication.
Do this
When you’re setting up an account, use OAuth2. Even if you still choose to use username/password to authenticate, OAuth2 gives you other options in the future.
Once you’ve got your email configured, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Leo,
This explains a lot of my email client battles recently trying to access the ISP’s email using MS Outlook 2010 as my email client. While their support was totally unhelpful, they did manage to mention that Microsoft had made some changes which they had adopted. Now, 2with your article, the pieces are finally starting to fall into place.
My question for you is what versions of MS Outlook client support the new OAuth2 security? I had tried upgrading to Microsoft 365 to get the latest version of Outlook, but authentication still didn’t work. And I did rebuild the email account from scratch but never saw anything that referenced a new authentication option. Any clues as to what I may have done wrong?
Thanks.
The latest version of Office should work, but you may need to re-create the accounts in Outlook.
A very helpful article, Leo: I am also having a battle accessing my messages via Basic Authentication and have only discovered the reason for the problem through extensive searches.
As I understand it, only Office Outlook from 2021 natively supports Modern Authentication, but versions from 2013 can be updated.
For those needing a client which will work on older versions of Windows, the makers of OE Classic state that their program functions on all from 2000 to 11; furthermore, it is fully up-to-date and has supported Modern Authentication for the last two years.
For my part, I wish MS were providing some alternative which would enable me to keep using my present program: they can surely afford an alternative server for those who need one.
I have two applications that require SMTP access only. These are the two backup programs I use (Macrium Reflect and Acronis True Image). They use email to send notifications with the result each time a backup is run (successful, failed, etc.).
For many years I had used my email address provided by my ISP (username, password) without problem, but they have closed down their email servers, forcing me to use my Gmail address to send notiifications. Gmail considered my backup programs to be insecure, forcing me to jump through the hoops to implement “app passwords” for each program. I didn’t see any reference or option regarding Oauth2.