M365 Changelog: Basic Authentication Deprecation in Exchange Online – September 2022 Update

MC424238 – One month from today, Microsoft is going to start to turn off basic authentication for specific protocols in Exchange Online. 

Timeline and Scope 

As Microsoft communicated last year in blog posts and earlier this year in MC375736 , it will start to turn off basic authentication in our worldwide multi-tenant service on October 1, 2022. Microsoft will randomly select tenants, send 7-day warning Message Center posts, post Service Health Dashboard notices, and turn off basic auth in the tenant. 

Microsoft is turning off basic auth for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS) and Remote PowerShell. 

Microsoft is not changing any settings or turning off SMTP AUTH. 

What If You Are Not Ready for This Change? 

Microsoft recognizes many tenants may still be unprepared for this change. 

Today Microsoft announced an update to our plan to offer customers who are unaware or otherwise not ready for this change. You can read this announcement here

What should I do to prepare for this change? 

Any client (user app, script, integration, etc.) using basic auth for an affected protocol will be unable to connect. The app will receive an HTTP 401 error: bad username or password. Any app using modern auth for these protocols will be unaffected. 

If you are unsure if you have clients or apps that will be affected by this change, you can check the Azure AD Sign-In logs, or just check Message Center for any messages titled, ‘Basic Authentication – Monthly Usage Report’. Microsoft will send the usage report for August in the next few days. If you cannot see any of these messages, Microsoft has not detected basic authentication on the affected protocols in your tenant. 

To read more on what can be done to switch apps from basic to modern auth please view our main documentation page and our latest blog

Additional Information