Scan to email problems

Question

Scan to email problems

Ekaterina Cuff 0

Hello,

Apologies if this is in the wrong group, but I have recently bought a new MFD which has scan to email which I need to use every day for my business. I have also just migrated over to Office365 and I am trying to set this up, but oh my word.. it seems to be the most convoluted and complicated thing I've ever tried to do and I've already wasted an entire day trying to set this up. Previously I could just use SMTP AUTH and it was a breeze!

Is there a simple how-to guide at all? Reading online, it looks like I'm far from the only person facing this problem and the online help on the Microsoft website sends me to about 15 different articles, all telling me different ways to do it which I'm assuming are all incompatible with each other as I've tried to follow the steps as closely as possible but nothing seems to have worked.

The scanner I have does support OAuth 2.0 and TLS 1.3 so the device should be ok but I'm at a loss to work out what I need to do within Azure / Entra / Exchange.

I did get to a point where OAuth said it was active and the smtp connection test on my MFD said everything was fine but I kept getting errors every time I tried to scan anything.

Any help would be greatly appreciate!

Many thanks,

0 comments

2 answers

Your answer

Answer 1

Vergil-V 11,880 Microsoft External Staff Moderator

Hi @Ekaterina Cuff

Thank you for contacting the Microsoft Q&A forum.

I completely understand the difficulty of setting up SMTP authentication on your device to send email within your organization.

Based on my research, you may try the steps below to see if they help:

1/ Create a user with an Exchange Online subscription

Create an account within your organization that has an active Exchange Online subscription. This account will be used to sign in on the device, and the device will send emails using that account.

2/ Enable SMTP authentication for the user

Go to the Microsoft Admin Center and do the following:

Select Users > Select Active users > Choose the user you created > Go to Mail > Enable SMTP authentication in the Manage email apps section

User's image

3/ Set up the SMTP server and email authentication in your device settings.

The Microsoft SMTP server is smtp.office365.com, and it uses port 587 or 25. Enter the email address you created above and complete the authentication process.

Additionally, you may look for documentation specific to your device brand. Many manufacturers provide clear guidance on how to use the scan‑to‑email feature with Microsoft Exchange through OAuth 2.0.

I hope these suggestions offer some additional insight. If you have any updates, please feel free to share.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Ekaterina Cuff 0 Reputation points

2026-03-10T11:20:15.94+00:00

Hi Vergil,

Thank you for your response!

That was the steps that I used to do to get this working, but I've gone to the Exchange Admin Centre but these are the only options I have under Manage Email Apps: I read yesterday that as of 1st March 2026, Microsoft have removed the Authenticated SMTP option now and you can only do this via OAuth.

The trouble is, that it looks like I need to add apps or resources in Azure / Entra and maybe even run PowerShell commands in Exchange.. etc.

If this really is the only way to do this (and I would be very happy to be proven wrong!), I don't know what Microsoft were thinking when it comes to small businesses or sole traders (like myself) that don't have a dedicated IT team, as surely your average person can't be expected to run PowerShell commands on business critical services like Exchange, with absolutely no experience and one small typo in the commands you enter could completely destroy your email service and without having the enterprise level support from Microsoft available, most likely wait for days or maybe even weeks to get this fixed, which if that happened to my business, I would lose thousands.

Do you know if there is a way of adding the Authenticated SMTP option back at all? I think that would be the easiest fix of all but I'm not sure if it is possible now.

Thanks for your help!

Many thanks,
Vergil-V 11,880 Reputation points Microsoft External Staff Moderator

2026-03-11T03:45:22.4966667+00:00
Hi @Ekaterina Cuff

Thank you for your follow‑up.

Enabling SMTP authentication for a specific mailbox is supported only through the Microsoft Admin Center, as mentioned in my earlier response, or through PowerShell. Below are the steps to enable SMTP authentication for the mailbox.

1/ Run the following command to view the mailbox’s SMTP authentication status:

Get-CASMailbox -Identity $user | Format-List DisplayName,PrimarySmtpAddress,SmtpClientAuthenticationDisabled

The results indicate the following:

True: SMTP authentication is disabled

False: SMTP authentication is enabled

Null: The mailbox inherits the setting from the tenant-level configuration

To verify the tenant‑level SMTP authentication setting, run:

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

2/ To enable SMTP authentication for the mailbox:

Set-CASMailbox -Identity $user -SmtpClientAuthenticationDisabled $false

For more details, you may refer to: Enable or disable SMTP AUTH in Exchange Online | Microsoft Learn

Regarding your question about Microsoft not supporting SMTP authentication, I’d like to clarify that the restriction applies only to Basic Authentication with SMTP AUTH. Since you mentioned that your device supports OAuth 2.0, SMTP authentication should continue to work properly.

For more information, please refer to: Deprecation of Basic authentication in Exchange Online | Microsoft Learn

I hope this provides additional clarity.
Vergil-V 11,880 Reputation points Microsoft External Staff Moderator

2026-03-12T04:20:33.1366667+00:00

Hi @Ekaterina Cuff

I just wanted to kindly follow up to see if you’ve had a chance to review my previous response.

I would greatly appreciate any updates you may be able to provide, particularly regarding the usefulness of the information I shared. Your feedback is essential to my ongoing efforts to enhance the quality of my support.

Thank you again for your time, and I look forward to hearing from you.
Ekaterina Cuff 0 Reputation points

2026-03-13T22:56:22.9933333+00:00

Hi Vergil,

Thanks for your assistance! I have verified that SMTP authentication is enabled for my specific mailbox. I seem to have all the right settings on my scanner for the SMTP connection and I have also connected via OAuth but I still can't sent email from my device. Below are the settings on my MFD.

The option for SMTP Authentication on the email settings are greyed out so I cannot turn them on, on my MFD. I'm assuming that's because OAuth is connected?

Also when I do the SMTP connection check on my MFD it says everything has connected successfully so I'm really at a loss now as to what to do next.

Thanks for your help!
Vergil-V 11,880 Reputation points Microsoft External Staff Moderator

2026-03-16T11:13:34.35+00:00

Hi @Ekaterina Cuff

Thank you for the update.

First, please ensure that the account signed in on your device is the same account being used for OAuth authentication. Confirming this alignment can help avoid authentication mismatches.

Next, please go to the Microsoft Entra Admin Center > Monitoring and health > Sign-in logs. There, kindly verify whether the sign-in attempts show a successful status.

If the sign-ins are successful, please proceed to Message trace - Exchange admin center. This will allow you to review the mail flow for the mailbox and gain more clarity to continue the investigation.

If you discover any additional details or observations, please feel free to share them.
Ekaterina Cuff 0 Reputation points

2026-03-16T21:48:43.4033333+00:00

Hi Vergil,

I've checked the sign-in logs and I have successful "Application for Sending E-Mail/I-Fax with OAuth" logs.

However, when I check the mail trace, there is no record of any email at all.

I have finally managed to fix this issue though. I ditched OAuth altogether and ended up setting up an App Password on my Microsoft 365 account then just used the standard settings.

Thanks for your help on this though!
Vergil-V 11,880 Reputation points Microsoft External Staff Moderator

2026-03-16T23:18:18.2966667+00:00

Hi @Ekaterina Cuff
Thank you for sharing your findings
I’m glad to hear that your issue has been resolved.
This is a great piece of additional information that can be helpful for other members experiencing similar issues. It's also something new that I’ve learned today.
I truly appreciate your contribution.

Answer 2

For a multifunction device (MFD) scanning to email with Exchange Online, there are three supported patterns. The correct setup depends on whether the device can authenticate with a mailbox and whether it must send to external recipients.

Decide which configuration model to use

From the description (supports OAuth 2.0, TLS 1.3, and needs to send every day for business, likely to internal and external recipients), the two realistic options are:

SMTP AUTH client submission (recommended when the device can authenticate as a mailbox and send to internal/external recipients).
Microsoft 365/Office 365 SMTP relay (when the device must send “as” multiple users or cannot authenticate with a mailbox, and you can send from a static IP).

Direct send is only for sending to recipients in the same Microsoft 365 tenant and cannot send to external addresses.

To confirm what is currently configured on the MFD:

If the server is smtp.office365.com and a username/password are entered, it is using SMTP AUTH client submission.
If the server ends with mail.protection.outlook.com and no credentials are configured, it is using direct send.
If the server ends with mail.protection.outlook.com and there is a connector in Exchange Online for your on-premises IP or certificate, it is using Microsoft 365/Office 365 SMTP relay.

See the section “My printer is already configured for email, but I don't know which configuration option it uses” for a concise comparison of these three options.

SMTP AUTH client submission checklist (simplest if device can log on as a mailbox)

Use this if the MFD can:

Connect to smtp.office365.com on port 587 (TLS).
Authenticate with a single Microsoft 365 mailbox (username/password).

Key steps:

Verify SMTP AUTH is enabled on the mailbox used by the MFD:

In Exchange Online PowerShell, run:

     Get-CASMailbox -Identity <EmailAddress> | Format-List SmtpClientAuthenticationDisabled

If the value is True, enable SMTP AUTH for that mailbox:

     Set-CASMailbox -Identity <EmailAddress> -SmtpClientAuthenticationDisabled $false

Ensure modern security controls are compatible with SMTP AUTH:
- If multifactor authentication (MFA) is enabled on that mailbox, disable MFA for this account or use an app password (if allowed in the tenant). The guidance in the context explicitly calls out disabling MFA on the licensed mailbox used by the device.
- If Security Defaults are enabled, they may block legacy auth, including SMTP AUTH. The article describes how to disable Security Defaults (with a clear caution about security risk) under Microsoft Entra ID > Properties > Manage security defaults.
- If there is a Conditional Access policy blocking legacy authentication, exclude the MFD mailbox under Users and Groups > Exclude in that policy.
Configure the MFD:
- SMTP server: smtp.office365.com
- Port: 587
- Encryption: STARTTLS/TLS (device must support TLS 1.2+; TLS 1.3 support is fine)
- Authentication: username/password of the Microsoft 365 mailbox dedicated for the device.
- From address: must match the authenticated mailbox address. If the device tries to send “From” a different address, you will see 5.7.60 SMTP; Client does not have permissions to send as this sender and should instead use SMTP relay.
Test connectivity from the network where the MFD resides:
- Use Telnet from a workstation on the same network:
  - Install Telnet Client.
  - Run telnet.
  - open smtp.office365.com 587.
- If the connection fails, the firewall or ISP is blocking port 587 (or 25 if using that). This must be fixed before the MFD can send mail.
Common SMTP AUTH errors and fixes:
- 535 5.7.3 Authentication unsuccessful or 5.7.57 Client not authenticated to send mail:
  - Confirm SMTP AUTH is enabled on the mailbox.
  - Confirm MFA/Security Defaults/Conditional Access are not blocking the login.
  - Confirm correct username/password.
- Client was not authenticated to send anonymous mail during MAIL FROM:
  - Indicates the device is connecting to smtp.office365.com but not authenticating. Enter mailbox credentials or switch to direct send/SMTP relay.
Direct send (no authentication, internal recipients only)

Use this only if:

The MFD must send only to recipients in the same Microsoft 365 tenant.
You want to avoid authentication.

Configuration:

SMTP server: your tenant MX endpoint (ends with mail.protection.outlook.com).
Port: 25, TLS if supported.
No authentication.

Limitations and issues:

Cannot send to external recipients by design. If external mail is required, use SMTP AUTH or SMTP relay.
If emails are marked as junk, use a static IP and ensure the SPF record includes that IP.
If the device is currently pointed at smtp.office365.com without auth, you will see Client was not authenticated to send anonymous mail during MAIL FROM; switch to the MX endpoint for direct send.

Microsoft 365/Office 365 SMTP relay (for multiple senders or line-of-business scenarios)

Use this if:

The device must send as multiple users or addresses that do not match the authenticated account.
You have a static public IP and can create an inbound connector in Exchange Online.

High-level steps:

Configure an inbound connector in Exchange Online that identifies your on-premises device by IP or certificate.
Configure the MFD to send to your tenant’s MX endpoint (*.mail.protection.outlook.com) over port 25 from that static IP.
Ensure SPF includes the static IP.

If email is marked as junk or rejected:

Confirm the static IP in the connector and SPF record is correct and up to date (ISP/network changes can alter the IP).
If the connector no longer matches (IP or certificate changed), update the connector so messages are correctly attributed to the tenant.

If configuration still fails

Re-check the configuration against the official “How to set up a multifunction device or application to send email using Microsoft 365 or Office 365” article referenced in the troubleshooting guide.
Use the built-in diagnostic in the Microsoft 365 admin center (“Run diagnostic to setup applications or devices sending email using Microsoft 365”) to validate the chosen method (SMTP AUTH, direct send, or SMTP relay) and detect common misconfigurations.

In summary, for a modern MFD that supports TLS 1.2+ and daily business use, the simplest path is usually SMTP AUTH client submission with a dedicated mailbox, ensuring SMTP AUTH is enabled on that mailbox and that security controls (MFA, Security Defaults, Conditional Access) are configured to allow SMTP AUTH for that specific account.

References:

Share via

Scan to email problems

2 answers

Your answer