Skip to main content
日本語 简体中文 繁體中文

[Access Control] Access Logs for SMTP Basic Authentication (Microsoft 365)

Question

When checking the Access Control access logs, I found logs labeled "Microsoft.Exchange.SMTP".
What is this? Is any action required?

Answer

This is a log of basic authentication (legacy authentication) that became viewable after the update on December 1, 2025.
This page summarizes frequently asked questions about basic authentication access logs.

What are access logs displaying "SSO Target: Microsoft.Exchange.SMTP"?

These appear when an authentication request using "basic authentication (legacy authentication)" is sent to Access Control during SMTP sending in Microsoft 365 (Exchange Online).
For example, this may be displayed when a multifunction device or application sends email using the "Client SMTP Submission" feature of Microsoft 365.

Reference: How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 (external link)

Why do logs labeled "Microsoft.Exchange.SMTP" appear in Access Control?

If you have federated (integrated) with Microsoft 365, when SMTP basic authentication occurs on the Microsoft 365 side, a basic authentication (Ws-Trust) request is sent to Access Control.
At that time, access control is performed based on the "Condition to allow legacy authentication" set in the Access Control access policy group, and the result is recorded in the access log.

Why do deleted users appear in the "Username" field?

This can occur when a user who has been deleted from Access Control but not from Microsoft 365 attempts to access.
For such access attempts, Access Control receives the authentication request and tries to verify, but since the user does not exist in Access Control, authentication fails.

What causes a large number of "Microsoft.Exchange.SMTP" logs to be generated?

The main causes are as follows:

  • Multifunction devices, apps, scripts, or external systems previously configured are still attempting to send email via SMTP using credentials for old domains or deleted users
  • Basic authentication has not been fully disabled on the Microsoft 365 side, and repeated request attempts are being sent

Can I check basic authentication logs on the Microsoft 365 side?

You can also check the details from the logs on the Microsoft 365 side.
The "Procedure" section under "When using Microsoft 365" in the article below describes the steps for confirmation.

[Access Control] How to check basic authentication access logs