A 4-minute walkthrough for creating an app password on a Microsoft account so you can use Outlook.com, Hotmail or Microsoft 365 with email clients that do not support 2-Step Verification natively. Covers the personal account flow, the work/school account flow, and the 2026 SMTP AUTH deprecation that may affect business users.
Video Transcript
Hello and welcome. This video shows how to generate an app password for your Microsoft account. App passwords let you sign in to Outlook.com, Hotmail, Live or Microsoft 365 from third-party apps and devices that do not support two-step verification.
The procedure differs slightly between personal Microsoft accounts and Microsoft 365 work or school accounts, but the underlying idea is the same: a one-time generated password that bypasses 2FA for one specific app.
Step one. Open account.microsoft.com in a browser and sign in. Click the Security tab at the top.
Step two. Find Advanced security options and click Get started or Manage.
Step three. Two-Step Verification must be on for app passwords to be available. If 2-Step Verification is off, turn it on now using SMS or the Microsoft Authenticator app.
Step four. Scroll to the App passwords section and click Create a new app password. Microsoft generates a long random password and shows it once. Copy it immediately.
Step five. Paste the app password into your email client. Use outlook.office365.com on port 993 with SSL for IMAP, or smtp-mail.outlook.com on port 587 with STARTTLS for SMTP. Username is your full email address.
Step six. Test by sending yourself an email. If it arrives, the setup works.
Important note for Microsoft 365 work and school accounts: Microsoft deprecated basic authentication in October 2022 for IMAP, POP and EWS. SMTP AUTH deprecation extends to April 2026. If you are on a corporate Microsoft 365 account, you may not be able to use app passwords at all because your administrator has enforced OAuth-only access. Talk to your IT admin. Thanks for watching.
Personal Account vs Work/School Account: Two Different Flows
The single most important thing to know before you start: Microsoft handles app passwords differently depending on whether you have a personal Microsoft account or a work/school Microsoft 365 account. The video covers the personal flow, which is still fully supported and works exactly as shown. The work/school flow exists but has been progressively restricted since 2022 and may be unavailable depending on your IT admin's policy. Get this distinction right at the start and you avoid 90% of the confusion users hit on this topic.
| Account type | How to identify and what to expect |
|---|---|
| Personal Microsoft account | Your email is @outlook.com, @hotmail.com, @live.com, @msn.com, or you signed up at outlook.com directly. App passwords work without restriction. Manage at account.microsoft.com. |
| Microsoft 365 work/school account | Your email is on a custom domain like yourname@yourcompany.com and your IT department set it up. App passwords may or may not work depending on whether your admin has enabled them. Manage at myaccount.microsoft.com. |
| Microsoft 365 with custom domain (small business / personal) | Some users have outlook.com-style accounts with custom domains for personal use. These are work/school accounts technically. Same restrictions apply as above. |
| Hybrid Exchange (on-premises + Online) | Larger enterprises. App passwords on the Exchange Online side, basic auth still possible on the on-premises side until decommissioned. Talk to your IT admin. |
Microsoft Email Server Settings (Reference Card)
These are the official server settings documented by Microsoft. Save or screenshot.
| Setting | Value |
|---|---|
| Incoming server (IMAP) | outlook.office365.com (used by both personal and M365) |
| Incoming port | 993 with SSL/TLS required |
| Outgoing server (SMTP) - personal accounts | smtp-mail.outlook.com |
| Outgoing server (SMTP) - Microsoft 365 | smtp.office365.com |
| Outgoing port | 587 with STARTTLS, authentication required |
| Username | Your full email address (e.g. yourname@outlook.com) |
| Password | The generated app password, never your regular Microsoft password |
| Authentication | Required for both IMAP and SMTP. Tick "Server requires authentication" in your client's outgoing server settings |
| POP3 (alternative) | outlook.office365.com port 995 SSL. Use IMAP instead unless you have a specific reason |
| OAuth alternative | Modern clients (Thunderbird 128+, Apple Mail Catalina+, native Outlook) support OAuth instead of app password. The OAuth flow opens a Microsoft sign-in window and grants the client a temporary token |
6 Steps to Generate an App Password (Personal Account)
-
Open account.microsoft.com in a desktop browser. Sign in with your Microsoft account credentials. Click the Security tab in the top navigation bar.
-
On the Security page, find Advanced security options and click Get started (the button is labelled Manage if 2FA is already on). This opens the additional security configuration page where app passwords live.
-
Confirm Two-Step Verification is turned on. App passwords only appear once 2FA is active. If you have not enabled 2FA, turn it on now using SMS, email or the Microsoft Authenticator app. Wait a moment for the security page to refresh after enabling.
-
Scroll down to the App passwords section. Click Create a new app password. Microsoft generates a long random password (typically 16 characters, sometimes longer) and shows it in a popup. Copy it immediately. The password is shown only once. If you close the dialog before copying, you must create a new one.
-
Open your email client (Outlook, Thunderbird, Apple Mail, iPhone Mail, Samsung Email). When prompted for your Outlook password, paste the app password. Use server settings outlook.office365.com port 993 SSL incoming, smtp-mail.outlook.com port 587 STARTTLS outgoing (personal accounts) or smtp.office365.com for M365.
-
Send a test email to yourself from the configured client. If it arrives in your Outlook inbox within a minute, IMAP and SMTP are both working. The app password is now active permanently until you revoke it from your Microsoft account.
For Microsoft 365 Work/School Accounts: The 2022-2026 Deprecation
If you are on a corporate Microsoft 365 account, the procedure above may not work because Microsoft has been progressively retiring basic authentication. The official Microsoft Exchange Online deprecation timeline is genuinely complex with multiple phases.
| Date | What Microsoft changed |
|---|---|
| September 2019 | Microsoft announces basic auth deprecation for Exchange Online. Begins disabling for tenants with no recorded usage. |
| October 1, 2022 | Basic auth disabled for IMAP, POP, EWS, RPS, MAPI, ActiveSync across all Microsoft 365 work/school tenants. Exception: SMTP AUTH continued working temporarily. |
| March 31, 2023 | Same deprecation rolls to Office 365 operated by 21Vianet (China region). |
| 2024 | Microsoft announces SMTP AUTH basic auth retirement timeline. Original date September 2025. |
| September 2025 | Original SMTP AUTH deprecation deadline. Postponed to give organisations more migration time. |
| March 1, 2026 | SMTP AUTH basic auth deprecation begins (phase 1). |
| April 30, 2026 | SMTP AUTH basic auth permanently disabled across all M365 work/school tenants. After this date, Exchange Online will no longer accept basic auth on any protocol. |
What this means in practice: if your Microsoft 365 admin has not specifically allowed app passwords for your account (via Conditional Access policy exception), you cannot create one. The App Password option simply does not appear in your account settings. The replacement is OAuth, which modern email clients support automatically when adding a Microsoft 365 account. If you need to use older software that does not support OAuth, talk to your IT admin about an exception. For SMTP AUTH specifically (sending email from scripts, scanners, CRMs), Microsoft now recommends High Volume Email for Microsoft 365 or Azure Communication Services Email as basic-auth replacements.
Common Errors and Fixes
| Error or symptom | Cause and fix |
|---|---|
| "App passwords" section is missing on personal account | Two-Step Verification is not enabled. Turn it on at account.microsoft.com Security > Advanced security options. The App passwords section appears after 2FA is on. |
| "App passwords" missing on Microsoft 365 work/school account | Your admin has disabled app passwords as a Conditional Access policy. Modern email clients work with OAuth instead. For older software, ask your admin to enable app passwords for your account specifically, or to grant a Conditional Access exception. |
| iPhone Mail "ignores" the app password | iOS Mail uses OAuth automatically when you pick "Outlook.com" as the account type during setup. The app password is never asked for. To force IMAP+app-password instead, pick "Other" > "Add Mail Account" and enter server settings manually. |
| "Authentication failed" on Outlook 2010, 2013, 2016 | Outlook 2010 cannot do modern auth at all. Outlook 2013 and 2016 require a registry edit to enable modern auth. The simpler fix: paste the app password instead of your regular password. The app password works as a basic-auth credential on personal accounts. |
| "Send email failed" but receive works | SMTP authentication is not enabled in your client. In Outlook: More Settings > Outgoing Server > tick "My outgoing server requires authentication". For personal accounts use smtp-mail.outlook.com:587 STARTTLS. For M365 use smtp.office365.com:587 STARTTLS. |
| "This app cannot connect" after April 2026 (M365 only) | Basic auth has been permanently disabled on your M365 tenant. The app password no longer works. Switch to a client that supports OAuth (Outlook 2024, Thunderbird 128+, Apple Mail Catalina+) or talk to your admin about Conditional Access exceptions. |
| Wrong server typed | Outlook.com is at outlook.office365.com, NOT mail.outlook.com or imap.outlook.com. Microsoft consolidated all Outlook IMAP traffic onto the Office 365 server name in 2017. Old tutorials may show the wrong hostname. |
| "Sender address rejected" | The From address in your client does not match the Microsoft account you authenticated with. Set the From address in your client to the exact email address you logged in with. |
| App password worked yesterday but not today | Microsoft may have detected suspicious sign-in activity and forced 2FA re-verification, which invalidates app passwords. Generate a new app password and update your client. |
Comparing Outlook App Passwords to Other Providers
| Provider | App password procedure summary |
|---|---|
| Outlook personal (this guide) | account.microsoft.com Security > Advanced security options > App passwords. Works without restriction. Single page after 2FA on. |
| Microsoft 365 work/school (this guide) | myaccount.microsoft.com Security info > Add method > App password. Available only if admin allows it. Many orgs disable it in favour of OAuth. |
| Gmail / Google Workspace | myaccount.google.com/apppasswords. Single direct URL. Works on personal Gmail without restriction. Workspace requires admin policy permitting it. |
| Yahoo Mail | Account Security > Generate and manage app passwords. Single page. IMAP enabled by default. Procedurally simplest of the major providers. |
| Yandex Mail | Two separate pages: enable IMAP at mail.yandex.com Settings, then create app password at id.yandex.com Security. Most complex flow. |
| Zoho Mail | Two separate steps: enable IMAP in Mail settings, create app password in Account Security. Similar split structure to Yandex. |
| AOL Mail | Account Security > Generate and manage app passwords. Single page. Yahoo-style flow. |
Setting Up Common Email Clients with Outlook
After you have the app password, configuring the email client is short. Each client has subtle quirks worth knowing.
| Client | Setup notes |
|---|---|
| Microsoft Outlook 2024 / 365 | Native OAuth support. Add account flow handles authentication automatically. App password not needed unless OAuth fails for some reason. |
| Microsoft Outlook 2019, 2021 | Modern auth is supported but sometimes falls back to basic auth. If OAuth dialog never appears, paste the app password into the password field. |
| Microsoft Outlook 2013, 2016 | Limited modern auth. Easiest path: app password. Server outlook.office365.com:993 SSL incoming, smtp-mail.outlook.com:587 STARTTLS outgoing. |
| Microsoft Outlook 2010 and earlier | No modern auth at all. App password is the only way. Will fail entirely after M365 basic auth deprecation in April 2026 for work/school accounts. |
| Mozilla Thunderbird 128 ESR or later | Native OAuth support including new EWS support added in version 145 (November 2025). Add account flow uses OAuth automatically. App password is fallback only. |
| Apple Mail (macOS Catalina+) | Native OAuth via System Settings > Internet Accounts > add Outlook.com account. App password as fallback. |
| iPhone Mail (iOS 13+) | Native OAuth when picking "Outlook.com" as account type. To use IMAP+app-password instead, pick "Other" > manual setup. |
| Samsung Email (Android) | OAuth supported when picking "Outlook" provider. Manual IMAP setup with app password also works. |
| Custom CRM, scripts, scanners | Use IMAP/SMTP with app password. Most legacy automation cannot do OAuth. Be aware: M365 SMTP AUTH basic auth ends April 2026, so scripts will need OAuth migration before then. |
Security and Privacy Considerations
App passwords are intentionally less secure than OAuth tokens because they are static (do not expire automatically) and broad-scoped (one app password gives the client full IMAP, SMTP and POP access to your account). The benefit is universal compatibility: app passwords work with literally any email client that speaks IMAP, where OAuth requires the client to be specifically integrated with Microsoft's identity platform. The trade-off is acceptable for most personal users but security-conscious organisations are right to phase them out in favour of OAuth, which is exactly what Microsoft is doing on the work/school side. Treat your app password like a physical key. Never paste it into untrusted apps or share it. If a device is lost, revoke the app password from your Microsoft account immediately. Microsoft does not enforce one app password per device, but reusing the same password across multiple devices makes "I lost my phone" recovery much harder than it needs to be.
đź’ˇ Pro tips for Outlook app password setup
- Check your account type first. Personal Microsoft accounts (outlook.com, hotmail.com, live.com) work cleanly. Work/school M365 accounts may not allow app passwords at all depending on admin policy. Save yourself the troubleshooting.
- Use account.microsoft.com for personal, myaccount.microsoft.com for work/school. The two URLs look almost identical but go to different account dashboards.
- One app password per device or app. Microsoft does not enforce this but you should. When you lose a phone, revoke just that password without breaking your laptop's email.
- Name your app passwords descriptively when prompted: "Outlook Office Laptop", "iPhone 15 Mail", "Backup Tool 2026". Six months later you will not remember which is which.
- Server is outlook.office365.com, not mail.outlook.com or imap.outlook.com. The Office 365 hostname is correct for both personal and work/school accounts after the 2017 consolidation.
- Use port 587 STARTTLS for outgoing. Some Indian residential ISPs block port 465 SSL. Port 587 with STARTTLS is the universal choice.
- For M365 SMTP scripts, plan for April 2026. Move to OAuth-based SMTP libraries (Microsoft Graph SDK, MSAL) before the SMTP AUTH deprecation. Free SMTP libraries supporting OAuth: PHPMailer 6.6+, Nodemailer with msal, Python smtplib with oauth2 helper.
- If you also need to back up your Outlook mailbox, see our guide on backing up Outlook.com to external drive.
Frequently Asked Questions
What is an Outlook app password and why do I need one?
An Outlook app password is a long, randomly generated one-time password tied to your Microsoft account. You enter it instead of your regular Microsoft password when adding the account to a third-party email client (Apple Mail, Thunderbird, older Outlook, iPhone Mail, Samsung Email) that does not support 2-Step Verification natively. It exists because once you turn on 2FA, your regular password gets blocked from basic auth login attempts to protect your account from credential theft.
Where is the App Passwords option on my Microsoft account?
For personal accounts (outlook.com, hotmail.com, live.com): account.microsoft.com Sign in, click Security, click Advanced security options Get started, scroll to App passwords. For Microsoft 365 work or school accounts: myaccount.microsoft.com Sign in, click Security info, click Add method, pick App password from the dropdown. The work/school option only appears if your administrator has allowed it (many organisations now disable app passwords entirely in favour of OAuth).
What are the IMAP and SMTP settings for outlook.com and Microsoft 365?
Both use the same server settings. Incoming IMAP: outlook.office365.com, port 993, SSL/TLS required. Outgoing SMTP: smtp-mail.outlook.com (personal) or smtp.office365.com (M365), port 587 with STARTTLS, authentication required. Username is your full email address. Password is the generated app password, not your regular Microsoft password.
Why is App Passwords missing on my Microsoft 365 account?
Your IT administrator has disabled app passwords as a security policy. Microsoft 365 admins can enforce OAuth-only access via Conditional Access policies, which removes the App Password option entirely. Modern email clients (Outlook 2024, Thunderbird 128+, Apple Mail Catalina+) support OAuth and do not need an app password. For older or non-OAuth software, ask your admin to allow app passwords for your account, or migrate to a client that supports modern authentication.
Will my app password stop working after the 2026 SMTP AUTH deprecation?
Personal Microsoft accounts (outlook.com, hotmail.com, live.com): app passwords continue to work, the 2026 deprecation does not affect consumer accounts. Microsoft 365 work and school accounts: SMTP AUTH with basic auth (which app passwords use) is being permanently disabled on April 30, 2026 according to Microsoft's latest published timeline. After that date, sending email via SMTP AUTH from M365 accounts requires OAuth or alternative methods like High Volume Email or Azure Communication Services. For receiving (IMAP/POP), Microsoft already disabled basic auth for work/school accounts in October 2022.
Can I use the same app password on multiple devices?
Technically yes but it is not recommended. Microsoft does not enforce one app password per device, but reusing the same password across phone, laptop and tablet means if one device is lost or stolen you cannot revoke just that device's access without breaking the others. Better practice: generate a separate app password for each device or app, name them descriptively (Outlook Office Laptop, iPhone Mail Personal). When you lose a device, revoke just that one app password from your Microsoft account.