Upcoming changes to Legacy Auth for Exchange Online

Question

It´s bug struggle find good and reliable information about blocking legacy authentication. I know there are upcoming changes:

https://techcommunity.microsoft.com/t5/exchange-team-blog/improving-security-together/ba-p/805892
Last year we announced we are turning off Basic Authentication for Exchange Web Services on October 13, 2020. Today, we are announcing we are also turning off Basic Authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell at the same time – October 13, 2020.

I know also that this change is postponed:

https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508
In response to the COVID-19 crisis and knowing that priorities have changed for many of our customers we have decided to postpone disabling Basic Authentication in Exchange Online for those tenants still actively using it until the second half of 2021. We will provide a more precise date when we have a better understanding of the impact of the situation.

But I still got some questions in my mind, and I´m unable to find official information about them:

1. What we should do with service accounts after this change will be implemented in 2021? How service accounts will be authenticated and how they will be able to work? I know only about App Passwords possibility but I didn´t find any official information if App Passwords will be working when Legacy Auth will be disabled in Exchange Online.
2. What should we do with our users with iPhones because most of them are using iPhones with non-outlook Calendar or non-outlook Email? They will be unable to work in these applications and only possible way will be official outlook app for calendar, emails and contact synchronization?
3. If we don´t have Azure AD Premium but only Azure AD for Office 365 is somehow possible to disable Legacy Authentication in Exchange Online for specific users? I know there is Security Defaults in Azure AD but this is not possible to enable because we are running some critical service accounts in our tenant, that are still accessing Exchange Online with Legacy Authentication.
   We tried to disable Legacy Authentication protocols (IMAP, POP, EAS, EWS) in M365 Admin on some users to avoid using Security Defaults for whole tenant but users started to reporting us about missing Calendar in Microsoft Teams so we need to reactivate these protocols back.
4. What will happen if we don´t enable MFA for all users with Security Defaults and until 2021 and this change will be applied to our tenant? Users without activated MFA (Security Defaults disabled) will be able to work in Modern Authentication in Exchange Online despite MFA will not be enabled and set-up on their accounts?
   We know Security Defaults should be enabled but our tenant, user accounts, services, people are not ready for this change and I´m afraid they will not be able to prepare people, services, accounts and so on... So I´m asking also about this scenario when Security Defaults will be disabled.

Answer 1

1) The ExO PowerShell module already supports such scenarios (in preview): https://www.quadrotech-it.com/blog/certificate-based-authentication-for-exchange-online-remote-powershell/
2) Both the Outlook app and the native Mail app on iOS support modern auth
3) Yes, use auth policies in Exchange Online: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online
4) MFA does not equal modern authentication, you do not necessarily have to enable second (or additional) auth factors in order to use modern authentication

All of the above have been addressed in detail over at the EHLO blog, to which you linked above - I strongly suggest you review past articles posted on the blog.