535 5.7.139 Authentication Unsuccessful — SMTP AUTH Disabled (Microsoft 365)

What’s actually happening

Your app authenticates to smtp.office365.com and immediately gets 535 5.7.139. The same credentials log into Outlook on the web fine. This is Microsoft blocking basic-auth SMTP, not a bad password — it became the default as they retired basic auth.

Common causes

• Authenticated SMTP (SMTP AUTH) is disabled on the specific mailbox.
• SMTP AUTH is disabled tenant-wide, which is the default for newer Microsoft 365 tenants.
• Security Defaults are on, blocking legacy/basic authentication including SMTP AUTH.
• A Conditional Access policy is blocking legacy authentication clients.
• The app is sending basic-auth credentials at all — Microsoft has been deprecating basic auth for SMTP in favor of OAuth2.

How to fix it

1. Enable SMTP AUTH on the mailboxIn the Microsoft 365 admin center go to Users > the user > Mail > Manage email apps, and tick 'Authenticated SMTP'. Or via PowerShell: Set-CASMailbox -Identity [email protected] -SmtpClientAuthenticationDisabled $false.
2. Check the tenant-wide settingRun Get-TransportConfig | fl SmtpClientAuthenticationDisabled. If it's True, the whole tenant blocks SMTP AUTH; set it to $false to allow it, then re-enable per mailbox as needed.
3. Account for Security DefaultsIn Entra ID > Properties > Manage security defaults, Security Defaults block legacy auth. Either keep them on and switch the app to OAuth2, or disable them only if your security posture allows.
4. Switch the app to OAuth2Microsoft's long-term path is OAuth2/XOAUTH2 against smtp.office365.com. Register an app in Entra ID, grant SMTP.Send, and use a token instead of a password. WP Mail SMTP and Post SMTP support the Microsoft/Outlook OAuth path.
5. Review Conditional AccessIn Entra ID > Conditional Access, check for a policy blocking 'Other clients' / legacy auth. Exclude the service account or move to a modern-auth flow.