Deprecation of Basic authentication in Exchange Online
If Basic authentication has been disabled in your tenant and users and apps are unable to connect, you have a short period of time in which you can re-enable the affected protocols. Follow the re-enablement process in this blog.
This temporary re-enablement will only delay the change we're making to secure Exchange Online. Read the rest of this article to fully understand the changes we're making and how these changes might affect you.
For many years, applications have used Basic authentication to connect to servers, services, and API endpoints. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services, and is simple to set up.
Simplicity isn't at all bad, but Basic authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services. Furthermore, the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled.
Basic authentication is an outdated industry standard. Threats posed by it have only increased since we originally announced that we were going to turn it off (see Improving Security - Together) There are better and more effective user authentication alternatives.
We actively recommend that customers adopt security strategies such as Zero Trust (Never Trust, Always Verify), or apply real-time assessment policies when users and devices access corporate information. These alternatives allow for intelligent decisions about who is trying to access what from where on which device rather than simply trusting an authentication credential that could be a bad actor impersonating a user.
With these threats and risks in mind, we're taking steps to improve data security in Exchange Online.
The deprecation of basic authentication will also prevent the use of app passwords with apps that don't support two-step verification.
What we are changing
We're removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.
We're also disabling SMTP AUTH in all tenants in which it's not being used.
This decision requires customers to move from apps that use basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they are issued, so they cannot be reused. Enabling and enforcing multifactor authentication (MFA) is also simple with Modern authentication.
When will this change take place?
We've already started making this change. New Microsoft 365 tenants are created with Basic authentication already turned off as they have Security defaults enabled.
Beginning in early 2021, we started to disable Basic authentication for existing tenants with no reported usage. We always provide Message Center notifications to any customer prior to Basic authentication being completely disabled in their tenant.
In September 2021, we announced that effective October 1, 2022, we will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used. See full announcement: Basic Authentication and Exchange Online – September 2021 Update.
On September 1, 2022, we announced there will be one final opportunity to postpone this change. Tenants will be allowed to re-enable a protocol once between October 1, 2022 and December 31, 2022. Any protocol exceptions or re-enabled protocols will be turned off early in January 2023, with no possibility of further use. See the full announcement at Basic Authentication Deprecation in Exchange Online – September 2022 Update.
In Office 365 Operated by 21Vianet, we will begin disabling Basic authentication on March 31, 2023. All other cloud environments are subject to the October 1, 2022 date.
Impact to messaging protocols and existing applications
This change affects the applications and scripts you might use in different ways.
POP, IMAP, and SMTP AUTH
In 2020, we released OAuth 2.0 support for POP, IMAP, and SMTP AUTH. Updates to some client apps have been updated to support these authentication types (Thunderbird for example, though not yet for customers using Office 365 Operated by 21Vianet), so users with up-to-date versions can change their configuration to use OAuth. There is no plan for Outlook clients to support OAuth for POP and IMAP, but Outlook can connect use MAPI/HTTP (Windows clients) and EWS (Outlook for Mac).
Application developers who have built apps that send, read, or otherwise process email using these protocols will be able to keep the same protocol, but need to implement secure, Modern authentication experiences for their users. This functionality is built on top of Microsoft Identity platform v2.0 and supports access to Microsoft 365 email accounts.
If your in-house application needs to access IMAP, POP and SMTP AUTH protocols in Exchange Online, follow these step-by-step instructions to implement OAuth 2.0 authentication: Authenticate an IMAP, POP, or SMTP connection using OAuth. Additionally, use this PowerShell script Get-IMAPAccesstoken.ps1 to test IMAP access after your OAuth enablement on your own in a simple way including the shared mailbox use case. If this is successful, just make a confident next step talk to your application owner of your vendor or internal business partner.
Work with your vendor to update any apps or clients that you use that could be impacted.
SMTP AUTH will still be available when Basic authentication is permanently disabled on October 1, 2022. The reason SMTP will still be available is that many multi-function devices such as printers and scanners can't be updated to use modern authentication. However, we strongly encourage customers to move away from using Basic authentication with SMTP AUTH when possible. Other options for sending authenticated mail include using alternative protocols, such as the Microsoft Graph API.
Exchange ActiveSync (EAS)
Many users have mobile devices that are set up to use EAS. If they're using Basic authentication, they will be impacted by this change.
We recommend using Outlook for iOS and Android when connecting to Exchange Online. Outlook for iOS and Android fully integrates Microsoft Enterprise Mobility + Security (EMS), which enables conditional access and app protection (MAM) capabilities. Outlook for iOS and Android helps you secure your users and your corporate data, and it natively supports Modern authentication.
There are other mobile device email apps that support Modern authentication. The built-in email apps for all popular platforms typically support Modern authentication, so sometimes the solution is to verify that your device is running the latest version of the app. If the email app is current, but is still using Basic authentication, you might need to remove the account from the device and then add it back.
If you're using Microsoft Intune, you might be able to change the authentication type using the email profile you push or deploy to your devices. If you are using iOS devices (iPhones and iPads) you should take a look at Add e-mail settings for iOS and iPadOS devices in Microsoft Intune
Any iOS device that's managed with Basic Mobility and Security won't be able to access email if the following conditions are true:
- You've configured a device security policy to require a managed email profile for access.
- You haven't modified the policy since November 9, 2021 (which means the policy is still using Basic authentication).
Policies created or modified after this date have already been updated to use modern authentication.
To update policies that haven't been modified since November 9, 2021 to use modern authentication, make a temporary change to the policy's access requirements. We recommend changing and saving the Require Encrypted backups cloud setting, which will upgrade the policy to use modern authentication. Once the altered policy has the status value Turned on, the email profile has been upgraded. You may then revert the temporary change to the policy.
During the upgrade process, the email profile will be updated on the iOS device and the user will be prompted to enter their username and password.
If your devices are using certificate-based authentication, they will be unaffected when Basic authentication is turned off in Exchange Online later this year. Only devices authenticating directly using Basic authentication will be affected.
Certificate-based authentication is still legacy authentication and as such will be blocked by Azure AD conditional access policies that block legacy authentication. For more information see Block legacy authentication - Azure Active Directory.
Exchange Online PowerShell
Since the release of the Exchange Online PowerShell module, it's been easy to manage your Exchange Online settings and protection settings from the command line using Modern authentication. The module uses Modern authentication and works with multi-factor authentication (MFA) for connecting to all Exchange-related PowerShell environments in Microsoft 365: Exchange Online PowerShell, Security & Compliance PowerShell, and standalone Exchange Online Protection (EOP) PowerShell.
The Exchange Online PowerShell module can also be used non-interactively, which enables running unattended scripts. Certificate-based authentication provides admins the ability to run scripts without the need to create service-accounts or store credentials locally. To learn more, see: App-only authentication for unattended scripts in the Exchange Online PowerShell module.
Administrators who still use the old remote PowerShell connection method or the older Exchange Online Remote PowerShell Module (V1), are encouraged to begin using the Exchange Online PowerShell module as soon as possible. These older connection methods will eventually be retired, either through Basic authentication disablement or the end of support.
Do not confuse the fact that PowerShell requires Basic authentication enabled for WinRM (on the local machine where the session is run from). The username/password isn't sent to the service using Basic, but the Basic Auth header is required to send the session's OAuth token, because the WinRM client doesn't support OAuth. We are working on this problem and will have more to announce in the future. Just know that enabling Basic on WinRM is not using Basic to authenticate to the service. For more information, see Exchange Online PowerShell: Turn on Basic authentication in WinRM.
Read more about this situation here: Understanding the Different Versions of Exchange Online PowerShell Modules and Basic Auth.
For details on moving from the V1 version of the module to the current version, see this blog post.
Version 3.0.0 of the Exchange Online PowerShell V3 module (Preview versions 2.0.6-PreviewX) contains REST API backed versions of all Exchange Online cmdlets that don't require Basic authentication in WinRM. For more information, see Updates for version 3.0.0.
Exchange Web Services (EWS)
Many applications have been created using EWS for access to mailbox and calendar data.
In 2018, we announced that Exchange Web Services would no longer receive feature updates and we recommended that application developers switch to using Microsoft Graph. See Upcoming changes to Exchange Web Services (EWS) API for Office 365.
Many applications have successfully moved to Graph, but for those applications that have not, it's noteworthy that EWS already fully supports Modern authentication. So if you can't migrate to Graph yet, you can switch to using Modern authentication with EWS, knowing that EWS will eventually be deprecated.
To learn more, see:
- Upcoming API Deprecations in Exchange Web Services for Exchange Online - Microsoft Tech Community
- Authenticate an EWS application by using OAuth
- What to do with EWS Managed API PowerShell scripts that use Basic Authentication
Outlook, MAPI, RPC, and Offline Address Book (OAB)
All versions of Outlook for Windows since 2016 have Modern authentication enabled by default, so it's likely that you're already using Modern authentication. Outlook Anywhere (formerly known as RPC over HTTP) has been deprecated in Exchange Online in favor of MAPI over HTTP. Outlook for Windows uses MAPI over HTTP, EWS, and OAB to access mail, set free/busy and out of office, and download the Offline Address Book. All of these protocols support Modern authentication.
Outlook 2007 or Outlook 2010 cannot use Modern authentication, and will eventually be unable to connect. Outlook 2013 requires a setting to enable Modern authentication, but once you configure the setting, Outlook 2013 can use Modern authentication with no issues. As announced earlier here, Outlook 2013 requires a minimum update level to connect to Exchange Online. See: New minimum Outlook for Windows version requirements for Microsoft 365.
Outlook for Mac supports Modern Authentication.
For more information about Modern authentication support in Office, see How modern authentication works for Office client apps.
If you need to migrate Public Folders to Exchange online, see Public Folder Migration Scripts with Modern Authentication Support.
How do you know if your users will be impacted?
There are several ways to determine if you're using Basic authentication or Modern authentication. If you're using Basic authentication, you can determine where it's coming from and what to do about it.
A simple way to tell if a client app (for example, Outlook) is using Basic authentication or Modern authentication is to observe the dialog that's presented when the user logs in.
Modern authentication displays a web-based login page:
Basic authentication presents a dialog credential modal box:
On a mobile device, you'll see a similar web-based page when you authenticate if the device is trying to connect using Modern authentication.
You can also check the connection status dialog box, by CTRL + right-clicking the Outlook icon in the system tray, and choosing Connection Status.
When using Basic authentication, the Authn column in the Outlook Connection Status dialog shows the value of Clear.
Once you switch to Modern authentication, the Authn column in the Outlook Connection Status dialog shows the value of Bearer.
Check the Message Center
Starting at the end of 2021, we started sending Message Center posts to tenants summarizing their usage of Basic authentication. If you don't use Basic authentication, you'll probably have had Basic authentication turned off already (and received a Message Center post saying so) – so unless you start using it, you won't be impacted.
If you did get a summary of usage, you'll know how many unique users we saw using Basic authentication in the previous month, and which protocols they used. These numbers are indicative only, and do not necessarily reflect successful access to mailboxes or data. For example, a user may authenticate using IMAP, but be denied access to the mailbox due to configuration or policy. But the usage summary does indicate that something or someone is successfully authenticating to your tenant using Basic authentication. To investigate this usage further, we recommend that you use the Azure Active Directory Sign-in events report – a report that can provide detailed user, IP, and client details for these authentication attempts (more details below).
Check the Admin Center
Early in 2022, we plan on updating the Microsoft Admin Center to make it easier to see summary usage and enable/disable protocols. We'll publish more information on these changes when it becomes available.
Check the Azure Active Directory Sign-in report
The best place to get the most up-to-date picture of Basic authentication usage by tenants is by using the Azure AD Sign-In report. To learn more, see: New tools to block legacy authentication in your organization - Microsoft Tech Community.
Exporting logs for analysis requires a premium license for your Azure AD tenant. If you have a premium license, you can use the following methods to export logs:
- Azure Event Hubs, Azure Storage, or Azure Monitor (best methods): All of these export pathways are capable of handling the load from even large customers with hundreds of thousands of users. For more information, see Stream Azure Active Directory logs to Azure Monitor logs.
- Graph APIs: We recommend that you use MS Graph paging logic to ensure you can pull in all of the logs. For more information, see Access Azure AD logs with the Microsoft Graph API.
- Direct download from web browser: For large customers, the amount of data can cause browser timeouts.
Some of the options available for each of the impacted protocols are listed below.
For Exchange Web Services (EWS), Remote PowerShell (RPS), POP and IMAP, and Exchange ActiveSync (EAS):
- If you have written your own code using these protocols, update your code to use OAuth 2.0 instead of Basic Authentication, or migrate to a newer protocol (Graph API).
- If you or your users are using a 3rd party application which uses these protocols, reach out to the 3rd party app developer who supplied this application to update it to support OAuth 2.0 authentication or assist your users to switch to an application that's built using OAuth 2.0.
|Key Protocol Service||Impacted Clients||Client Specific Recommendation||Special Recommendation for Office 365 Operated by 21Vianet (Gallatin)||Other Protocol Info / Notes|
|Outlook||All versions of Outlook for Windows and Mac||
||Enabling Modern Auth for Outlook – How Hard Can It Be?|
|Exchange Web Services (EWS)||Third-party applications not supporting OAuth||
|Follow this article to migrate your customized Gallatin application to use EWS with OAuth
Microsoft Teams and Cisco Unity not currently available in Gallatin
|What to do with EWS Managed API PowerShell scripts that use Basic Authentication
|Remote PowerShell (RPS)||
||Use either:||Azure Cloud Shell is not available in Gallatin||Learn more about Automation and certificate-based authentication support for the Exchange Online PowerShell module and Understanding the Different Versions of Exchange Online PowerShell Modules and Basic Auth.|
|POP and IMAP||Third party mobile clients such as Thunderbird first party clients configured to use POP or IMAP||Recommendations:
||Follow this article to configure POP and IMAP with OAuth in Gallatin with sample code||IMAP is popular for Linux and education customers. OAuth 2.0 support started rolling out in April 2020.
Authenticate an IMAP, POP, or SMTP connection using OAuth
|Exchange ActiveSync (EAS)||Mobile email clients from Apple, Samsung etc.||
|Mobile devices that use a native app to connect to Exchange Online generally use this protocol.|
What if I want to block Basic authentication now?
Here's a table summarizing the options for proactively disabling basic authentication
|Security Defaults||- Blocks all legacy authentication at the tenant level for all protocols - No additional licensing required||- Cannot be used together with Azure AD Conditional Access policies - Potential other impact such as requiring all users to register for and require MFA|
|Exchange Online Authentication Policies||- Allows for a phased approach with disablement options per protocol - No additional licensing required- Blocks basic authentication pre-auth||Admin UI available to disable basic authentication at org-level but exceptions require PowerShell|
|Azure AD Conditional Access||- Can be used to block all basic authentication for all protocols - Can be scoped to users, groups, apps, etc. - Can be configured to run in report-only mode for additional reporting||- Requires additional licensing (Azure AD P1)- Blocks basic authentication post-auth|
To learn more on how to block Basic authentication, check out the following articles:
Exchange Online Authentication Policies:
- Manage Basic Authentication in the Microsoft 365 Admin Center (Simple)
- Authentication Policy Procedures in Exchange Online (Advanced)
Azure AD Conditional Access:
- Conditional Access: Block Legacy Authentication (Simple)
- How to: Block Legacy Authentication to Azure AD with Conditional Access (Detailed)
Summary and next steps
The changes described in this article can affect your ability to connect to Exchange Online, and so you should take steps to understand if you are impacted and determine the steps you need to take to ensure you can continue to connect once they roll out.
It's recommended that you first investigate the impact on your tenant and users. Look out for Message Center posts that either summarize your usage or report you don't have any.
If you have usage, or are unsure, take a look at the Azure AD Sign-In report. More information can be found here: New tools to block legacy authentication in your organization - Microsoft Tech Community. The report can help you track down and identify clients and devices using Basic authentication.
Once you have an idea of the users and clients you know are using Basic authentication, come up with a remediation plan. That might mean upgrading client software, reconfiguring apps, updating scripts, or reaching out to third-party app developers to get updated code or apps.