T The Triage ManualTechnical Guides for IT Emergencies
P2 · Exchange & Mail Flow

Microsoft 365 SMTP Relay Configuration — Enabling IP-Based SMTP Sending for On-Premises Devices via Exchange Online Connector

On-premises devices (printers, scanners, applications) fail to relay outbound email through Exchange Online when no inbound connector exists to authenticate by IP address, or when SMTP AUTH is misconfigured or unrestricted. Two supported relay methods exist: (1) IP-based relay via an Exchange Online inbound connector on port 25 — no credentials required, suitable for devices that cannot store passwords; (2) SMTP AUTH on port 587 with per-mailbox enablement restricted by a Conditional Access policy scoped to a trusted Named Location — required when the device must authenticate but must not expose credentials to the open internet. Without proper configuration, SMTP submissions are rejected or the tenant is exposed to credential-based attacks.

Indicators

Likely causes

Diagnostic steps

  1. Identify the public IP address of the on-premises device, application, or server that needs to relay email. Confirm it is static and will not change. Use whatismyip.com from the device network or check with ISP.
    The Exchange Online inbound connector uses IP address matching to authorize relay; a dynamic IP will break the connector.
  2. Log in to the Microsoft 365 admin portal and navigate to the Exchange Admin Center (EAC) at admin.exchange.microsoft.com.
    Confirms administrative access and provides the interface to create the required inbound SMTP relay connector.
  3. In the Exchange Admin Center, navigate to Mail Flow > Connectors and review any existing connectors to determine if an inbound relay connector is already present for the device's IP.
    Avoids creating duplicate connectors and identifies whether the issue is a missing connector or a misconfigured existing one.
  4. Test SMTP connectivity from the device network to the tenant MX endpoint on port 25: Test-NetConnection -ComputerName tenant-com.mail.protection.outlook.com -Port 25
    Determines whether the failure is network connectivity, port blocking by ISP, or an Exchange Online policy rejection.
  5. Verify the sender domain used by the device matches an accepted domain configured in the Microsoft 365 tenant under Settings > Domains in admin.microsoft.com.
    Exchange Online will reject relay if the From address domain is not an accepted domain in the tenant, even with a valid IP connector.
  6. Review Mail Flow > Message Trace in EAC for any recent failed delivery attempts from the device's IP to identify specific rejection reasons.
    Message trace provides the exact Exchange Online rejection response and identifies which policy or connector rule blocked the message.
  7. Verify the tenant-level SMTP AUTH setting in Exchange Online (EAC or Get-TransportConfig) to determine whether SMTP AUTH is globally enabled or disabled.
    Establishes baseline — if disabled tenant-wide, per-mailbox overrides and Conditional Access are the correct scoping mechanism.
  8. Check whether the specific mailbox used by the legacy device has per-mailbox SMTP AUTH enabled via EAC mailbox features or PowerShell: Get-CASMailbox -Identity <UPN> | Select SmtpClientAuthenticationDisabled
    Confirms whether the individual mailbox is configured to allow SMTP AUTH independent of the tenant-wide setting.
  9. Review Conditional Access policies in Microsoft Entra ID (Azure Portal > Entra ID > Security > Conditional Access) for any policy targeting or blocking 'Office 365 Exchange Online' that could affect SMTP AUTH scenarios.
    Identifies policy conflicts or gaps before adding a new restrictive CA policy for SMTP AUTH.
  10. After CA policy configuration, test SMTP AUTH from both the allowed IP and a disallowed IP using Telnet or an SMTP test client against smtp.office365.com port 587.
    Validates that the CA policy permits connections from the trusted IP and blocks all other SMTP AUTH attempts.
  11. Review Entra ID Sign-in logs (Azure Portal > Entra ID > Sign-in logs) filtered for the service account and 'Exchange Online' app to confirm successful sign-ins from the allowed IP and blocked attempts from others.
    Provides audit confirmation that CA policy enforcement is operating as intended.

Resolution path

Prevention

Tools

References

Microsoft 365Exchange OnlineSMTPSMTP RelaySMTP AUTHMail FlowConnectorExchange Admin CenterPrinterScannerOn-premisesEmail RelayPort 25Port 587Hybrid MailIP AuthenticationMX EndpointConditional AccessMicrosoft Entra IDBasic AuthenticationNamed LocationsEmail SecurityIdentity Security