UPDATE: Exchange Online deprecating Basic Authentication (Basic Auth)

Originally published: September 20, 2019
Updated: March 18, 2021

Please go here to search for your product's lifecycle.

UPDATE February 25, 2021: Microsoft has postponed disabling Basic Auth for protocols in active use by tenants until further notice but will continue to disable Basic Auth for protocols not in use. Overall scope of this change now covers EWS, EAS, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH and OAB. Go here for the full announcement.

Exchange Online is deprecating Basic Authentication for multiple protocols prior to its removal in the second half of 2021. Basic Authentication relies on sending usernames and passwords -- often stored on or saved to the device -- with every request, increasing risk of attackers capturing users' credentials, particularly if not TLS protected.

Basic Authentication is superseded by Modern Authentication (based on OAuth 2.0). Customers are encouraged to move to apps that support Modern Authentication prior to the removal of Basic Authentication.

As part of security defaults, we currently disable Basic Authentication by default for new customers. During 2021, we'll start to disable Basic Authentication for existing customers who have no recorded usage of Basic Authentication in any of the protocols in scope of this announcement. After this change, apps will not be able to use Basic Authentication when connecting to Exchange Online using those protocols.

This change currently affects commercial M365, not our consumer service Outlook.com users, and it impacts Exchange ActiveSync (EAS), IMAP, POP, and Remote PowerShell.

Go here to learn more.

Please note this change does not affect Outlook for Windows or Mac if they are already configured to use Modern Auth.

Change Log

February 25, 2021
CHANGED: Updated Basic Auth deprecation plan