How do I set up Outlook SMTP authentication with 2FA and OAuth2 for GlockApps?
Matthew Whittaker
Co-founder & CTO, Suped
Published 27 Apr 2025
Updated 17 Aug 2025
6 min read
Setting up SMTP authentication for Microsoft Outlook, especially when integrating with third-party tools like GlockApps, can sometimes present unique challenges. The traditional method of using just a username and password (basic authentication) is increasingly being phased out due to security vulnerabilities. This shift means many senders now encounter errors if they try to connect without employing modern authentication methods.
For platforms such as Google Workspace, the solution often involves enabling two-factor authentication (2FA) and then generating a specific app password for the external service. This approach provides a secure alternative for applications that may not natively support the more advanced OAuth2 protocol.
The good news is that similar secure mechanisms exist for Outlook and Microsoft 365 environments. Understanding these methods is crucial not just for getting your tools to work, but also for maintaining a strong email security posture and ensuring consistent email deliverability, preventing your messages from landing on a blocklist or blacklist.
Understanding Outlook SMTP and modern authentication
Microsoft, like other major email providers, has been actively discouraging and, in some cases, outright disabling basic authentication for SMTP. This is a critical security measure aimed at protecting user accounts from credential stuffing attacks and other threats. While convenient, basic authentication transmits credentials in a less secure manner, making accounts more vulnerable.
Modern authentication, primarily using OAuth2, is the recommended standard. OAuth2 provides a secure, token-based authorization mechanism, meaning your applications don't need to store or transmit your actual username and password directly. Instead, they receive a temporary access token that grants specific permissions, greatly reducing the risk if that token is compromised.
Beware of basic authentication deprecation
Microsoft has been very clear about the deprecation of basic authentication for Exchange Online, impacting Microsoft Office 365 accounts. This means that even if you've used app passwords successfully in the past, your organization's IT policy might have disabled basic authentication entirely, rendering app passwords ineffective for new setups.
This shift impacts how third-party services connect. If your application, such as GlockApps, relies solely on basic authentication, it might fail to connect unless an administrator has specifically enabled or exempted your account from basic auth restrictions. This is a common reason why you might face SMTP error code 5.4.1 or similar issues.
The role of 2FA and app passwords
Two-factor authentication (2FA) significantly enhances account security by requiring a second form of verification beyond just a password. For Microsoft accounts, this typically involves a code from an authenticator app, a text message, or a biometric scan. Once 2FA is enabled, applications that don't support OAuth2 directly, but still need to access your account via SMTP, often require a unique app password.
An app password is a long, randomly generated password that replaces your regular account password for specific applications. It acts as a substitute for your primary password, but it is only valid when 2FA is active. This ensures that even if an app password is leaked, your main account remains protected by the second factor.
Steps to generate an app password (if basic auth is enabled)text
1. Go to your Microsoft account security settings.
2. Navigate to 'Advanced security options'.
3. Under 'App passwords', select 'Create a new app password'.
4. Use this generated password in your application (e.g., GlockApps) instead of your regular account password.
It is crucial to remember that app passwords are a workaround for legacy applications. If your Microsoft 365 or Outlook organization has completely disabled basic authentication, then app passwords will not function. In such scenarios, the focus must shift to ensuring the third-party application supports OAuth2, which is the preferred and more secure method.
Navigating OAuth2 for SMTP
OAuth2 is the modern standard for authorization and is what Microsoft now primarily expects for programmatic access to its services, including SMTP. Instead of providing credentials directly, an application requests permission to access certain resources on your behalf. You grant this permission, and the application receives an access token. This token is then used to authenticate with the SMTP server.
Basic authentication (with app passwords)
Process: Uses a generated, unique password for each app. Relies on the SMTP server accepting plain password authentication, even if 2FA is on.
Security: Improved over standard password, but still transmits a password-like string. Vulnerable if the organizational policy disables basic auth.
Compatibility: Works with legacy applications that don't support modern OAuth2 flows.
OAuth2
Process: Application obtains a temporary access token from Microsoft's identity platform. No direct password exchange.
Security: Highly secure, token-based, minimizes credential exposure, and adheres to modern security standards.
Compatibility: Requires the application (e.g., GlockApps) to be specifically developed to support OAuth2 for Microsoft 365 SMTP.
For SMTP, this often involves the use of OAuth2 with STARTTLS. This means the connection is initiated with a standard STARTTLS command, but the authentication payload uses the OAuth2 access token instead of a traditional username and password. This is the recommended and most robust way to authenticate with Microsoft's SMTP servers.
The primary challenge here is that the third-party application (like GlockApps) must have native support for OAuth2 authentication with Microsoft. If it doesn't, and your organization's policies have disabled basic authentication, then direct SMTP connectivity for that account might not be possible without a custom solution or an update from the application vendor.
Setting up for GlockApps (and similar tools)
When setting up Outlook SMTP authentication for a tool like GlockApps, your first step should always be to check if GlockApps (or any similar service) explicitly supports OAuth2 for Microsoft 365/Outlook. Many modern email testing or sending platforms are updating their integrations to support this, but not all have.
If GlockApps supports OAuth2, the setup process will typically involve authorizing the application through a Microsoft login prompt. This will grant GlockApps the necessary permissions to send emails on your behalf without you having to enter your password directly. This is the ideal and most secure configuration.
Key considerations for external services
App compatibility: Verify if your external tool supports OAuth2 for Outlook/Microsoft 365 SMTP. This is key.
Organizational policy: Even if your account has 2FA, your domain administrator might have disabled basic authentication across your organization, making app passwords unusable.
Alternative sending: If direct SMTP with Outlook isn't feasible, consider using a dedicated email service provider (ESP) with strong deliverability and robust authentication options. For more information, read about setting up email authentication for multiple ESPs.
If GlockApps does not support OAuth2, and your Outlook domain still allows basic authentication, then using an app password with 2FA enabled is the viable path. You would input the generated app password into GlockApps' SMTP settings as the password for your Outlook email account. Always ensure your account has 2FA active before generating an app password.
Views from the trenches
Best practices
Enable 2FA on your Outlook account first, then check if app passwords are an option for legacy applications.
Always verify if the third-party application natively supports OAuth2 for Microsoft 365, as it's the most secure method.
If basic authentication is disabled by your domain administrator, explore alternative sending methods or contact your service provider for OAuth2 integration plans.
Regularly review Microsoft's official documentation for updates on authentication policies and best practices.
Common pitfalls
Attempting to use your regular Outlook password with 2FA enabled, which will result in authentication errors.
Assuming app passwords will work if your organization has globally disabled basic authentication.
Not understanding that OAuth2 requires specific client-side implementation by the third-party application.
Overlooking domain-level policies that might override individual account settings for authentication.
Expert tips
For Microsoft accounts, consider implementing OAuth2 with STARTTLS for optimal security and deliverability. This is the preferred method.
If your application doesn't support OAuth2, ensure basic authentication is enabled at the organizational level to use app passwords.
When troubleshooting, check both your individual account settings and your domain's Microsoft 365 admin center policies.
When in doubt, contact Microsoft support directly; they can provide specific guidance based on your account and organization's configuration.
Marketer view
Marketer from Email Geeks says they were running into SMTP authentication errors when setting up Outlook email senders on GlockApps, noting that Gmail typically requires 2FA and an app password for similar setups.
2023-10-02 - Email Geeks
Expert view
Expert from Email Geeks says that this issue might not strictly be a deliverability topic, suggesting consulting Microsoft's support resources, especially regarding app passwords for apps not supporting two-step verification.
2023-10-02 - Email Geeks
Streamlining your Outlook SMTP setup
Effectively configuring Outlook SMTP authentication with 2FA and OAuth2 for tools like GlockApps comes down to understanding the interplay between your Microsoft account settings, your organizational policies, and the capabilities of the third-party application. While app passwords provide a solution for older systems, OAuth2 is the direction all services are moving towards for enhanced security and reliability.
For the best email deliverability and security, always prioritize applications that support OAuth2 with Microsoft. If that's not an option, ensure that basic authentication (and thus app passwords) is still enabled for your specific account or organization. Staying informed about Microsoft's authentication changes is key to avoiding unexpected connection failures or emails being marked as spam or hitting a blacklist.
Microsoft 365 SMTP.
