This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 82%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMU%3C/text%3E%3C/svg%3E)
As per Microsoft, Basic Authentication will be deprecated in Exchange Online effective October 1, 2022. This ability will be removed from Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.
I know it is not listed, but I want to double check if anybody knows for certain if the ability to authenticate with username/password to a Microsoft O365 application via the Microsoft Graph API will be removed. It is worth noting that this application will have access to Exchange mailboxes, which is where the confusion comes in if Microsoft's deprecation statement about Exchange Online will affect this flow or not.
There is a note that talks about disabling Basic Authentication in cloud environments that may include this ask, but it is not clear to me. The note in Microsoft's notice is as follows:
In Office 365 Operated by 21Vianet, we will begin disabling Basic authentiction on March 31, 2023. All other cloud environments are subject to the October 1, 2022 date.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 83%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
The ROPC grant is not affected by the deprecation of Basic Auth from Exchange Online. Only direct connections to Exchange with basic creds are affected. ROPC might not be recommended, but there are still more safeguards (app registration, consent, scope etc) with it, than there are with traditional username/password.
Thank you Greg!
Thank you, @grtaylor@microsoft.com !
Do you mean using the ROPC flow?
Hi @Vasil Michev , I believe you might be right that the ROPC flow is what is being used. To clarify, the specific workflow I have in mind using this authentication method is using the Microsoft identity platform to establish an authenticated connection to a Microsoft O365 application registered in Azure AD. The connection enables a service authenticating with username/password to call the Microsoft Graph API to read and write resources on a user's behalf. This registered application in particular will have access to Exchange Online mailboxes. That is where my confusion comes in on whether or not this Basic Authentication flow will be decommissioned in October 2022 or not.
I'm not 100% sure about the answer here. It's technically OAuth, so not considered basic auth, but it's also certainly not a recommended approach (you can see the big warning in the documentation). Whether Microsoft has any plans to block it specifically in the context of Exchange Online in the timeframes outlined above, I cannot tell. I've pinged an MS source on this and will circle back once I have an answer.
Hi @Vasil Michev , thank you very much. I'm looking forward to hearing back from you and your Microsoft resource.