Microsoft 365 SMTP Relay Configuration — Enabling IP-Based SMTP Sending for On-Premises Devices via Exchange Online Connector
On-premises devices (printers, scanners, applications) fail to relay outbound email through Exchange Online when no inbound connector exists to authenticate by IP address, or when SMTP AUTH is misconfigured or unrestricted. Two supported relay methods exist: (1) IP-based relay via an Exchange Online inbound connector on port 25 — no credentials required, suitable for devices that cannot store passwords; (2) SMTP AUTH on port 587 with per-mailbox enablement restricted by a Conditional Access policy scoped to a trusted Named Location — required when the device must authenticate but must not expose credentials to the open internet. Without proper configuration, SMTP submissions are rejected or the tenant is exposed to credential-based attacks.
Indicators
- On-premises application, printer, or scanner fails to send email through Microsoft 365
- SMTP connections to Exchange Online are rejected when device lacks a licensed M365 mailbox account
- Outbound email from on-premises devices silently drops or returns an SMTP relay denial error
- Devices configured with smtp.office365.com fail to authenticate when no per-device M365 account exists
- SMTP relay attempts return '550 5.7.1 Service unavailable' or similar rejection messages
- Legacy device cannot send email via SMTP AUTH (smtp.office365.com:587) after SMTP AUTH was disabled at tenant or per-mailbox level
- SMTP AUTH connections from unintended IP addresses are succeeding, indicating unrestricted SMTP AUTH is globally enabled
- Security audit identifies SMTP AUTH enabled globally on the tenant, creating credential-abuse risk
Likely causes
- No inbound connector configured in Exchange Online to accept SMTP relay from the device's public IP address
- Device or application attempting to relay through Microsoft 365 without a licensed mailbox credential and no IP-based relay exception in place
- Public IP of the sending device is dynamic or has changed, causing the relay connector's IP allow-list to no longer match
- SMTP AUTH is disabled at the tenant level (the default secure posture in Microsoft 365), blocking all legacy device SMTP AUTH attempts
- SMTP AUTH enabled globally without IP restriction, exposing tenant to brute-force and credential-stuffing attacks
- No Conditional Access policy exists to scope SMTP AUTH to trusted Named Locations only
- Per-mailbox SMTP AUTH override not configured for the service account used by the legacy device
- From address domain used by device is not an accepted domain in the Microsoft 365 tenant
Diagnostic steps
-
Identify the public IP address of the on-premises device, application, or server that needs to relay email. Confirm it is static and will not change. Use whatismyip.com from the device network or check with ISP.The Exchange Online inbound connector uses IP address matching to authorize relay; a dynamic IP will break the connector.
-
Log in to the Microsoft 365 admin portal and navigate to the Exchange Admin Center (EAC) at admin.exchange.microsoft.com.Confirms administrative access and provides the interface to create the required inbound SMTP relay connector.
-
In the Exchange Admin Center, navigate to Mail Flow > Connectors and review any existing connectors to determine if an inbound relay connector is already present for the device's IP.Avoids creating duplicate connectors and identifies whether the issue is a missing connector or a misconfigured existing one.
-
Test SMTP connectivity from the device network to the tenant MX endpoint on port 25: Test-NetConnection -ComputerName tenant-com.mail.protection.outlook.com -Port 25Determines whether the failure is network connectivity, port blocking by ISP, or an Exchange Online policy rejection.
-
Verify the sender domain used by the device matches an accepted domain configured in the Microsoft 365 tenant under Settings > Domains in admin.microsoft.com.Exchange Online will reject relay if the From address domain is not an accepted domain in the tenant, even with a valid IP connector.
-
Review Mail Flow > Message Trace in EAC for any recent failed delivery attempts from the device's IP to identify specific rejection reasons.Message trace provides the exact Exchange Online rejection response and identifies which policy or connector rule blocked the message.
-
Verify the tenant-level SMTP AUTH setting in Exchange Online (EAC or Get-TransportConfig) to determine whether SMTP AUTH is globally enabled or disabled.Establishes baseline — if disabled tenant-wide, per-mailbox overrides and Conditional Access are the correct scoping mechanism.
-
Check whether the specific mailbox used by the legacy device has per-mailbox SMTP AUTH enabled via EAC mailbox features or PowerShell: Get-CASMailbox -Identity <UPN> | Select SmtpClientAuthenticationDisabledConfirms whether the individual mailbox is configured to allow SMTP AUTH independent of the tenant-wide setting.
-
Review Conditional Access policies in Microsoft Entra ID (Azure Portal > Entra ID > Security > Conditional Access) for any policy targeting or blocking 'Office 365 Exchange Online' that could affect SMTP AUTH scenarios.Identifies policy conflicts or gaps before adding a new restrictive CA policy for SMTP AUTH.
-
After CA policy configuration, test SMTP AUTH from both the allowed IP and a disallowed IP using Telnet or an SMTP test client against smtp.office365.com port 587.Validates that the CA policy permits connections from the trusted IP and blocks all other SMTP AUTH attempts.
-
Review Entra ID Sign-in logs (Azure Portal > Entra ID > Sign-in logs) filtered for the service account and 'Exchange Online' app to confirm successful sign-ins from the allowed IP and blocked attempts from others.Provides audit confirmation that CA policy enforcement is operating as intended.
Resolution path
- METHOD 1 — IP-BASED RELAY via Exchange Online Inbound Connector (port 25, no credentials):
- Step 1 — Log in to the Exchange Admin Center (admin.exchange.microsoft.com) with Global Admin or Exchange Admin credentials.
- Step 2 — Navigate to Mail Flow > Connectors and click '+ Add a connector'. Set the connection type: From = 'Your organization's email server', To = 'Office 365'.
- Step 3 — Name the connector descriptively (e.g., 'On-Premises Device SMTP Relay') and configure authentication method: select 'By verifying that the IP address of the sending server matches one of these IP addresses'.
- Step 4 — Enter the static public IP address(es) of the on-premises device, server, or NAT gateway. Use CIDR notation if a range is required (e.g., 203.0.113.0/24).
- Step 5 — Enable 'Reject email messages if they aren't sent over TLS' for transport encryption security.
- Step 6 — Configure the on-premises device SMTP settings: Server = tenant-com.mail.protection.outlook.com (your tenant MX endpoint), Port = 25, Authentication = None (IP-based relay does not use SMTP AUTH), TLS = Opportunistic or Required.
- Step 7 — Set the device From address to use a verified domain in the Microsoft 365 tenant (e.g., scanner@contoso.com where contoso.com is an accepted domain).
- Step 8 — Send a test email from the device and monitor Mail Flow > Message Trace in EAC for successful delivery.
- METHOD 2 — SMTP AUTH via Conditional Access Named Location (port 587, credentials restricted by CA policy):
- Alt Step 1 — Create a Named Location in Entra ID: Azure Portal > Entra ID > Security > Conditional Access > Named Locations > New location. Select 'IP ranges location', name it (e.g., 'SMTP AUTH Allowed IP'), enter the device's static public IP in CIDR notation (e.g., 203.0.113.10/32), and save.
- Alt Step 2 — Enable SMTP AUTH on the specific service-account mailbox: In EAC navigate to the mailbox > Email apps/Mailbox features > enable 'Authenticated SMTP'. Or via PowerShell: Set-CASMailbox -Identity <UPN> -SmtpClientAuthenticationDisabled $false
- Alt Step 3 — Keep SMTP AUTH disabled at the tenant level to limit blast radius if credentials are compromised.
- Alt Step 4 — Create a Conditional Access policy: Azure Portal > Entra ID > Security > Conditional Access > New policy. Assign Users = the specific service account. Cloud apps = 'Office 365 Exchange Online'. Conditions > Locations: Include 'Any location', Exclude the Named Location created in Alt Step 1. Grant = 'Block access'. Enable the policy.
- Alt Step 5 — Configure the legacy device SMTP settings: Server = smtp.office365.com, Port = 587, Authentication = SMTP AUTH (username/password of the service account), TLS = Required (STARTTLS).
- Alt Step 6 — Validate by sending a test email from the trusted IP and verifying in Entra ID Sign-in logs that the allowed IP succeeds and other IPs are blocked by Conditional Access.
Prevention
- Use static public IP addresses for all devices and servers that relay through the Exchange Online connector; document these IPs in a configuration register to prevent connector breakage from IP changes.
- Enforce TLS on the inbound connector so that all SMTP relay traffic between on-premises devices and Exchange Online is encrypted in transit.
- Periodically audit Mail Flow > Connectors in EAC to remove stale or overly permissive connectors that may allow unintended relay sources.
- Prefer IP-based SMTP relay over storing Microsoft 365 credentials in device firmware (printers, scanners) to reduce credential exposure risk.
- Document the connector configuration and associated device IPs in operational runbooks for rapid troubleshooting when IP addresses change.
- Keep SMTP AUTH disabled at the tenant level by default; enable it only on specific mailboxes that absolutely require it for legacy device compatibility.
- Always pair per-mailbox SMTP AUTH enablement with a Conditional Access policy restricting authentication to a known Named Location, so stolen credentials cannot be used from arbitrary internet sources.
- Rotate passwords of SMTP AUTH service accounts on a scheduled basis and monitor Entra ID Sign-in logs for anomalous authentication attempts against those accounts.
- Evaluate whether legacy devices support OAuth 2.0 / Modern Authentication SMTP before defaulting to SMTP AUTH — modern firmware on many printers and scanners supports OAuth-based SMTP, eliminating Basic Authentication risk entirely.
- Use CA policy 'Report-only' mode during initial testing to audit impact before switching SMTP AUTH restriction policies to enforcement.
Tools
- Exchange Admin Center / EAC (admin.exchange.microsoft.com) — connector creation and message tracing
- Mail Flow > Message Trace in EAC — confirms relay connector matching and delivery status
- PowerShell Test-NetConnection — verifies TCP port 25 reachability to M365 MX endpoint
- Telnet client — manual SMTP conversation testing to observe rejection messages
- Microsoft Entra ID Portal (Azure Portal) — create and manage Named Locations and Conditional Access policies
- Exchange Online PowerShell (Set-CASMailbox / Get-CASMailbox) — configure and verify per-mailbox SMTP AUTH setting
- Microsoft Entra ID Sign-in Logs — audit and verify Conditional Access policy enforcement results
References
- How to Securely Allow SMTP Sending through Microsoft 365 using SMTP RELAY — WinTips.org
- How to Securely Allow SMTP AUTH Only from a Specific IP Address in Microsoft 365 with a CA Policy — WinTips.org
- Enable or disable SMTP AUTH in Exchange Online — Microsoft Docs
- Conditional Access Named Locations — Microsoft Docs