535 5.7.139 Authenticationunsuccessful, SmtpClientAuthentication is disabled for the Tenant

In this blog you will learn how to fix 535 5.7.139 Authenticationunsuccessful, SmtpClientAuthentication is disabled for the Tenant error when you are doing email relay using SMTP Auth Client Submission method.

You are performing email relay and getting below error:

2024-02-19 11:45:28 SERVER -> CLIENT: 535 5.7.139 Authentication unsuccessful,
SmtpClientAuthentication is disabled for the Tenant. Visit https://aka.ms/smtp_auth_disabled
for more information. [PA7P264CA0533.FRAP264.PROD.OUTLOOK.COM 2024-02-
19T11:45:28.162Z 08DC304474131504]
2024-02-19 11:45:28 SMTP ERROR: Password command failed: 535 5.7.139 Authentication
unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit
https://aka.ms/smtp_auth_disabled for more information.
[PA7P264CA0533.FRAP264.PROD.OUTLOOK.COM 2024-02-19T11:45:28.162Z
08DC304474131504]
SMTP Error: Could not authenticate.

What is SMTP Auth Client Submission

SMTP Client Submission or SMTP Auth Client Submission method is suitable when your requirement is to send emails to both internal and external users. SMTP Auth Client Submission uses the credentials of a mailbox that is hosted on Office 365 to connect to Office 365 server, and once you are authenticated with Office 365 mailbox credentials, you can send emails to internal and external users. The communication in SMTP Client Submission method works on port 587.

535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant

There can be multiple reasons why you are getting error 535 5.7.139 Authenticationunsuccessful, SmtpClientAuthentication is disabled for the Tenant. For example, SmtpClientAuthentication is disabled for the Tenant, Security defaults is enabled on Azure Active Directory (Microsoft Entra ID) tenant or you are using mailbox password in SMTP Auth Client Submission method.

Let’s discuss all the possible reasons for 535 5.7.139 error and how to fix it.

SmtpClientAuthentication is disabled for the Tenant

To verify if SMTP Client Authentication is enabled in your Microsoft 365 tenant, run below commands in Exchange Online PowerShell (use Connect-ExchangeOnline to connect with EXO tenant):

Get-TransportConfig | fl SmtpClientAuthenticationDisabled
verify SMTP Client Authentication in Exchange Online, get-transportconfig command

In the above image you can see SMTPClientAuthenitcationDisabled parameter is set to False. This indicates SMTP Client Authentication is disabled in the tenant.

To enable SMTP Client Authentication in Exchange Online tenant, run below command in Exchange Online PowerShell:

Set-TransportConfig -SmtpClientAuthenticationDisabled $false

To verify, please run the below command again:

Get-TransportConfig | fl SmtpClientAuthenticationDisabled
enable SMTP Client Authentication on the Tenant

SmtpClientAuthentication is disabled for the mailbox

If SMTP Client Authentication is enabled on the Tenant, but it is disabled on the mailbox level, you will not be able to rely emails using that mailbox under Client Submission method.

Important: The mailbox settings take precedence on the organization level settings. That means, if SMTP Client Authentication is enabled on the tenant level but it is disabled on the mailbox, mailbox setting will take precedence.

To verify SMTP Client Authentication on the mailbox, run below command in Exchange Online PowerShell:

Get-CASMailbox -Identity "Mailbox Name" | fl SmtpClientAuthenticationDisabled
verify smtp client authentication on

If SmtpClientAuthentication is blank ($null), the setting for the mailbox is controlled by the organization level settings.

To enable SMTP Client Authentication on the mailbox level, run below command in Exchange Online PowerShell:

Set-CASMailbox -Identity "Mailbox Name" -SmtpClientAuthenticationDisabled $false

To verify SMTP Client Authentication on the mailbox, run the same command again:

Get-CASMailbox -Identity "Mailbox Name" | fl SmtpClientAuthenticationDisabled

Verify Security defaults in Azure AD (Microsoft Entra ID)

If you are using Client Submission method to relay emails, you need to make sure that Security defaults is disabled in your tenant. Client Submission method do not support Security defaults feature. You need to enabled Modern Authentication for the account that you want to use to send emails from your device, and you need to create app password. You will be using app password in Client Submission settings instead of the mailbox account password.

Conclusion

In this article you learnt how to fix 535 5.7.139 Authenticationunsuccessful, SmtpClientAuthentication is disabled for the Tenant error while doing email relay.

You might like our other articles on Fix outgoing emails to Spam, Bypass Exchange Online Protection (EOP) and Bypass ATP scanning.

If you found this article helpful, please share it within your community and do not forget to share your feedback in the comments below. Join us on YouTube channel for the latest videos on the cloud technology and join our Newsletter for the early access of the articles and updates.

Happy Learning!!