Microsoft to Let Admins Temporarily Pause Exchange Online Basic Auth Deprecation

Security

Microsoft is once again notifying customers that it will finally disable basic authentication support in Exchange Online starting October 1, 2022. The company is also giving organizations an option to pause the deprecation of select email connection protocols until the end of this year.

In 2019, Microsoft first announced its plans to retire basic authentication to protect Exchange Online customers from password spray attacks. This change will affect select protocols such as RPC, MAPI, IMAP, POP, Exchange Web Services (EWS), Offline Address Book (OAB), Remote PowerShell, and Exchange ActiveSync (EAS). However, there is an exception for the SMTP AUTH protocol.

Microsoft has been reminding users about this end-of-life date for quite some time and also encouraging them to plan migrations to modern authentication. Despite all the warnings, hundreds of customers are either unaware or not yet ready for this configuration change. The impending retirement of basic authentication will prevent them from connecting to mailboxes with an HTTP 401 error.

Microsoft to Let Admins Temporarily Pause Exchange Online Basic Authentication Deprecation
Summary of timelines and actions

Microsoft gives the last chance to re-enable Exchange Online Basic Authentication

To address this issue, Microsoft has decided to let customers request a three-month extension for using basic authentication in their tenant. This means that IT admins will be able to re-enable one or more of the affected protocols via the self-service diagnostic tool. These protocols will continue to work until December 31, but will be permanently disabled in the first week of January 2023.

“This effort has taken three years from initial communication until now, and even that has not been enough time to ensure that all customers know about this change and take all necessary steps. IT and change can be hard, and the pandemic changed priorities for many of us, but everyone wants the same thing: better security for their users and data,” the Exchange team explained.

Microsoft to Let Admins Temporarily Pause Exchange Online Basic Authentication Deprecation

Microsoft recommends Exchange Online customers to switch apps to certificate-based authentication as soon as possible to avoid any disruptions. Administrators can use authentication policies to block basic authentication in the tenants. Let us know in the comments below if you have already completed the migration process.