The 535 5.7.3 error means Microsoft 365 rejected your SMTP authentication — typically because Authenticated SMTP is disabled for the user, Security Defaults are blocking legacy auth, or OAuth2 configuration is incorrect.
Fix it by enabling Authenticated SMTP in the Microsoft 365 Admin Center, disabling Security Defaults (if legacy auth is required), and verifying OAuth2 scopes for https://outlook.office365.com/.default.
Microsoft has progressively tightened authentication requirements. Basic SMTP auth works only when explicitly enabled per-user, and modern security policies often block it entirely.
Moreover, if you’re developing applications, OAuth2 is the recommended (and increasingly required) authentication method for Microsoft 365 SMTP.
Quick skim — 535 5.7.3 error overview
The 535 5.7.3 error indicates Microsoft-specific SMTP authentication failure.
| Attribute | Details |
| Error code | 535 5.7.3 |
| Category | Microsoft 365 authentication |
| Meaning | SMTP authentication unsuccessful |
| Severity | Permanent (requires admin configuration) |
| Common causes | SMTP auth disabled, Security Defaults, OAuth misconfiguration |
| Fix approach | Enable SMTP auth → check Security Defaults → verify OAuth2 |
What does authentication unsuccessful mean?
Microsoft 365 restricts SMTP authentication to prevent credential-based attacks. By default, users cannot authenticate via basic SMTP — the feature must be explicitly enabled. Additionally, tenant-wide security policies may block legacy authentication methods entirely.
The authentication hierarchy looks like:
| Policy Level | What It Controls |
| Per-user SMTP | Whether a specific user can authenticate via SMTP |
| Security Defaults | Tenant-wide legacy auth blocking |
| Conditional Access | Policy-based authentication restrictions |
| MFA requirements | Multi-factor authentication enforcement |
The 535 5.7.3 error appears when any level blocks your authentication attempt.
Why does the 535 5.7.3 error occur?
Multiple Microsoft 365 settings can prevent SMTP authentication.
Authenticated SMTP disabled
The most common cause — SMTP auth isn’t enabled for the user:
- The default setting is disabled for all users
- Must be explicitly enabled per-user
- Admin action required
Security Defaults enabled
Tenant-wide Security Defaults block legacy authentication:
- Automatically enabled on newer tenants
- Blocks basic SMTP authentication
- Requires modern auth (OAuth2) or explicit disable
Per-user MFA conflict
Legacy multi-factor authentication can interfere:
- Per-user MFA (older style) blocks some auth methods
- Conditional Access MFA handles authentication better
- Mixed MFA approaches cause conflicts
OAuth2 misconfiguration
For applications using OAuth2:
- Wrong scope specified
- Access token expired
- Incorrect SMTP server address
- Missing API permissions
How do you fix 535 5.7.3?
Start with the most common fix (enabling SMTP auth), then address policy conflicts.
Enable Authenticated SMTP
Turn on SMTP for the specific user:
- Go to Microsoft 365 Admin Center
- Navigate to Users → Active users
- Select the affected user
- Click Mail → Manage email apps
- Check Authenticated SMTP
- Save changes
Changes typically apply within 15-30 minutes (sometimes faster).
Toggle SMTP setting
If already enabled but not working:
- Uncheck Authenticated SMTP
- Save changes
- Wait 5 minutes
- Re-check Authenticated SMTP
- Save again
The toggle-reset sometimes clears stuck states (a frustrating but effective workaround).
Disable Security Defaults
If your tenant uses Security Defaults and you need basic SMTP:
- Go to Microsoft Entra ID (Azure AD)
- Navigate to Properties
- Manage Security Defaults
- Set to No (disabled)
Disabling Security Defaults removes tenant-wide legacy auth blocking. However, this reduces security — consider Conditional Access policies for granular control instead.
Disable per-user MFA
Legacy per-user MFA can conflict with SMTP:
- Go to Microsoft 365 Admin Center
- Navigate to Users → Active users
- Click Multi-factor authentication
- Select the user
- Disable per-user MFA
Use Conditional Access MFA instead for better compatibility with various authentication methods.
Configure OAuth2 correctly
For applications using OAuth2:
- Use server: smtp.office365.com
- Use port: 587
- Enable TLS/STARTTLS
- Scope: https://outlook.office365.com/.default
- Ensure the app has SMTP.Send permission in Azure AD
Refresh access tokens
OAuth2 tokens expire:
- Access tokens typically last 1 hour
- Implement token refresh logic
- Don’t cache expired tokens
- Handle refresh failures gracefully
Check Conditional Access
If Conditional Access policies exist:
- Review policies affecting the user
- Check for blocks on legacy authentication
- Verify SMTP isn’t explicitly blocked
- Consider policy exceptions for specific apps
How do you prevent authentication failures?
Proper planning prevents recurring 535 5.7.3 errors.
Plan the authentication method
Choose your approach before implementation:
- Basic SMTP auth (requires per-user enablement, blocked by some policies)
- OAuth2 (recommended for applications, more complex setup)
- SMTP relay (for devices that can’t authenticate)
Document configurations
Track what’s enabled for whom:
- Which users have SMTP auth enabled
- What policies affect authentication
- OAuth2 app registrations and permissions
Monitor authentication health
Set up alerts for authentication failures:
- Track SMTP auth failures in Azure AD logs
- Monitor for policy changes affecting auth
- Review sign-in logs for blocked attempts
Still stuck after trying the fix?
Some email errors are easy to clear. Others point to deeper deliverability issues involving authentication, sender reputation, blacklisting, routing, or mailbox provider policy. If you would rather have an expert review it, speak with an email delieverability consultant for free and we can help diagnose the issue and fix it on your behalf.
We look beyond the error message itself to find what is actually breaking delivery, trust, or inbox placement.
From SPF, DKIM, and DMARC to blacklist cleanup, DNS alignment, and sending setup, we can guide or implement the fix.
We assess whether the error is part of a bigger pattern hurting opens, replies, and overall campaign performance.
Talk to a real deliverability expert, get honest guidance, and see the next best step without pressure or upsells.
When should you book a consultation? If the error keeps coming back, affects multiple mailboxes or domains, started after an ESP or DNS change, or is tied to spam placement, low inboxing, high bounce rates, or authentication failures, it is usually faster to get an expert involved early.
Frequently asked questions
Here are some commonly asked questions about this error:
Microsoft disabled basic SMTP authentication by default to reduce the risk of credential-based attacks. Basic auth transmits passwords (potentially exposing them to interception), while modern auth (OAuth2) uses tokens that expire and can be revoked. Microsoft’s security posture prioritizes modern authentication.
No. Security Defaults blocks all legacy authentication methods, including basic SMTP. You must either disable Security Defaults (reducing security) or implement Conditional Access policies that allow specific legacy auth scenarios while blocking others.
OAuth2 is recommended (and increasingly required) for applications. Basic auth is acceptable for personal email clients where OAuth2 isn’t supported. For programmatic sending, always prefer OAuth2 — it’s more secure and won’t break when Microsoft further restricts basic auth.
