Exchange Online Deprecation of Basic Authentication

Microsoft has recently announced the deprecation of Basic Authentication in Exchange Online. This blog summarises these changes.

This information is based on an article by Microsoft which can be viewed in full here: Deprecation of Basic Authentication in Exchange Online.

Why is Microsoft stopping Basic Authentication?

Applications commonly use Basic Authentication methods to connect to services, servers, and API endpoints. This is where the application sends a username and password with every request and this information is usually saved on the device. This is often enabled by default and is simple to set up.

Basic Authentication is now an outdated industry standard, and the threats posed by this have only increased since Microsoft originally announced that it was ceasing its usage.

Basic Authentication makes it easier for hackers to capture user credentials, especially if credentials are not protected by TLS and this also increases the risk of these stolen details being used against other services and endpoints.

There are more effective methods of authenticating services, so Microsoft is taking steps to improve data security in Exchange Online.

What are they changing?

Microsoft is removing the ability to use Basic Authentication in Exchange Online for Exchange ActiveSync (EAS), POP, Exchange Web Services (EWS), IMAP, Remote PowerShell, Offline Address Book (OAB), Outlook for Windows, and Mac. They are also removing SMTP AUTH in tenants where it is not being used.

This means Microsoft customers need to move from Basic Authentication to Modern Authentication.

Modern Authentication has many benefits that help mitigate the issues driven by Basic Authentication. For example, OAuth access tokens have a limited usable lifetime. They are also specific to the applications and resources that they are issued to, so they cannot be reused. Enabling and enforcing MFA is simple with Modern Authentication.

When is this change taking place?

Beginning in early 2021, Microsoft started to disable Basic Authentication for existing tenants with no usage. In September 2021 they announced that effective October 1st, 2022, they will begin disabling Basic Authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if unused.

See full announcement: Basic Authentication and Exchange Online – September 2021 Update.

What do you need to do?

To fix this problem it’s simple, just go to your setting screen and click on the update link button.