PSA: Microsoft to Switch Off Basic Authentication in Exchange Online in January

Cloud Computing

Microsoft is once again reminding customers that it will permanently turn off Basic Authentication in Exchange Online in early January. The company is pushing organizations to adopt Modern Authentication (OAuth 2.0) as soon as possible.

Three years ago, Microsoft announced its plans to deprecate Basic Authentication support in favor of secure user authentication techniques. Since then, the company has released security updates to move several Microsoft 365 apps to Modern Authentication, including the Outlook desktop and mobile clients.

Microsoft started disabling Basic Authentication support in random Microsoft 365 tenants worldwide in October of this year. Up until now, millions of companies have already moved away from the insecure authentication method, but it seems like many customers are still not ready for the change despite multiple warnings. Consequently, Microsoft allowed IT admins to re-enable select protocols in Exchange Online until the end of the year.

Now, Microsoft has issued a final warning that Basic Authentication will be permanently turned off for various protocols in the first week of January 2023. The change will apply to seven email connection protocols, such as POP, IMAP, MAPI, RPC, Offline Address Book, Remote PowerShell, Exchange Web Services, and Exchange ActiveSync.

“Beginning in early January, we will send Message Center posts to affected tenants about 7 days before we make the configuration change to permanently disable Basic auth use for protocols in scope. Soon after basic auth is permanently disabled, any clients or apps connecting using Basic auth to one of the affected protocols will receive a bad username/password/HTTP 401 error,” the Exchange team explained.

Getting ready for Basic Authentication deprecation in Exchange Online

Basic Authentication is a legacy authentication method that involves sending user credentials in plain text to computer systems. It doesn’t support multi-factor authentication (MFA), making it easier for threat actors to steal credentials via sophisticated cyber attacks.

Microsoft has warned that Exchange Online customers will no longer be able to turn on Basic Authentication starting January 2023. The Exchange team has published a guide to help IT administrators prepare for this change, and you can find more details in this blog post.