Deprecation of Basic authentication in Exchange Online

Important

Basic authentication is now disabled in all tenants.

Before December 31 2022, you could re-enable the affected protocols if users and apps in your tenant couldn't connect. Now no one (you or Microsoft support) can re-enable Basic authentication in your tenant.

Read the rest of this article to fully understand the changes we made and how these changes might affect you.

For many years, applications have used Basic authentication to connect to servers, services, and API endpoints. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services, and is simple to set up.

Simplicity isn't at all bad, but Basic authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services. Furthermore, the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled.

Basic authentication is an outdated industry standard. Threats posed by it have only increased since we originally announced that we were going to turn it off (see Improving Security - Together) There are better and more effective user authentication alternatives.

We actively recommend that customers adopt security strategies such as Zero Trust (Never Trust, Always Verify), or apply real-time assessment policies when users and devices access corporate information. These alternatives allow for intelligent decisions about who is trying to access what from where on which device rather than simply trusting an authentication credential that could be a bad actor impersonating a user.

With these threats and risks in mind, we took steps to improve data security in Exchange Online.

Note

The deprecation of basic authentication also prevents the use of app passwords with apps that don't support two-step verification.

What we are changing

We removed the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Autodiscover, Outlook for Windows, and Outlook for Mac.

We also disabled SMTP AUTH in all tenants where it wasn't being used.

This decision requires customers to move from apps that use basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they are issued, so they cannot be reused. Enabling and enforcing multifactor authentication (MFA) is also simple with Modern authentication.

When did this change take place?

Beginning in early 2021, we started to disable Basic authentication for existing tenants with no reported usage.

Beginning in early 2023, we disabled Basic authentication for all tenants who had any type of extension. You can read more about the timing here.

Note

In Office 365 Operated by 21Vianet, we began disabling Basic authentication on March 31, 2023. All other cloud environments were subject to the October 1, 2022 date.

Impact to messaging protocols and existing applications

This change affects the applications and scripts you might use in different ways.

POP, IMAP, and SMTP AUTH

In 2020, we released OAuth 2.0 support for POP, IMAP, and SMTP AUTH. Updates to some client apps have been updated to support these authentication types (Thunderbird for example, though not yet for customers using Office 365 Operated by 21Vianet), so users with up-to-date versions can change their configuration to use OAuth. There is no plan for Outlook clients to support OAuth for POP and IMAP, but Outlook can connect use MAPI/HTTP (Windows clients) and EWS (Outlook for Mac).

Application developers who have built apps that send, read, or otherwise process email using these protocols will be able to keep the same protocol, but need to implement secure, Modern authentication experiences for their users. This functionality is built on top of Microsoft identity platform v2.0 and supports access to Microsoft 365 email accounts.

If your in-house application needs to access IMAP, POP and SMTP AUTH protocols in Exchange Online, follow these step-by-step instructions to implement OAuth 2.0 authentication: Authenticate an IMAP, POP, or SMTP connection using OAuth. Additionally, use the PowerShell script Get-IMAPAccesstoken.ps1 to test IMAP access after your OAuth enablement on your own in a simple way including the shared mailbox use case.

SMTP AUTH will still be available when Basic authentication is permanently disabled on October 1, 2022. The reason SMTP will still be available is that many multi-function devices such as printers and scanners can't be updated to use modern authentication. However, we strongly encourage customers to move away from using Basic authentication with SMTP AUTH when possible. Other options for sending authenticated mail include using alternative protocols, such as the Microsoft Graph API.

Exchange ActiveSync (EAS)

Many users have mobile devices that are set up to use EAS. If they were using Basic authentication, they are affected by this change.

We recommend using Outlook for iOS and Android when connecting to Exchange Online. Outlook for iOS and Android fully integrates Microsoft Enterprise Mobility + Security (EMS), which enables conditional access and app protection (MAM) capabilities. Outlook for iOS and Android helps you secure your users and your corporate data, and it natively supports Modern authentication.

There are other mobile device email apps that support Modern authentication. The built-in email apps for all popular platforms typically support Modern authentication, so sometimes the solution is to verify that your device is running the latest version of the app. If the email app is current, but is still using Basic authentication, you might need to remove the account from the device and then add it back.

If you're using Microsoft Intune, you might be able to change the authentication type using the email profile you push or deploy to your devices. If you are using iOS devices (iPhones and iPads) you should take a look at Add e-mail settings for iOS and iPadOS devices in Microsoft Intune

Any iOS device that's managed with Basic Mobility and Security won't be able to access email if the following conditions are true:

  • You've configured a device security policy to require a managed email profile for access.
  • You haven't modified the policy since November 9, 2021 (which means the policy is still using Basic authentication).

Policies created or modified after this date have already been updated to use modern authentication.

To update policies that haven't been modified since November 9, 2021 to use modern authentication, make a temporary change to the policy's access requirements. We recommend changing and saving the Require Encrypted backups cloud setting, which will upgrade the policy to use modern authentication. Once the altered policy has the status value Turned on, the email profile has been upgraded. You may then revert the temporary change to the policy.

Note

During the upgrade process, the email profile will be updated on the iOS device and the user will be prompted to enter their username and password.

If your devices are using certificate-based authentication, they will be unaffected when Basic authentication is turned off in Exchange Online later this year. Only devices authenticating directly using Basic authentication will be affected.

Certificate-based authentication is still legacy authentication and as such will be blocked by Microsoft Entra Conditional Access policies that block legacy authentication. For more information see Block legacy authentication with Microsoft Entra Conditional Access.

Exchange Online PowerShell

Since the release of the Exchange Online PowerShell module, it's been easy to manage your Exchange Online settings and protection settings from the command line using Modern authentication. The module uses Modern authentication and works with multi-factor authentication (MFA) for connecting to all Exchange-related PowerShell environments in Microsoft 365: Exchange Online PowerShell, Security & Compliance PowerShell, and standalone Exchange Online Protection (EOP) PowerShell.

The Exchange Online PowerShell module can also be used non-interactively, which enables running unattended scripts. Certificate-based authentication provides admins the ability to run scripts without the need to create service-accounts or store credentials locally. To learn more, see: App-only authentication for unattended scripts in the Exchange Online PowerShell module.

Important

Do not confuse the fact that PowerShell requires Basic authentication enabled for WinRM (on the local machine where the session is run from). The username/password isn't sent to the service using Basic, but the Basic Auth header is required to send the session's OAuth token, because the WinRM client doesn't support OAuth. We are working on this problem and will have more to announce in the future. Just know that enabling Basic on WinRM is not using Basic to authenticate to the service. For more information, see Exchange Online PowerShell: Turn on Basic authentication in WinRM.

Read more about this situation here: Understanding the Different Versions of Exchange Online PowerShell Modules and Basic Auth.

For details on moving from the V1 version of the module to the current version, see this blog post.

Version 3.0.0 of the Exchange Online PowerShell V3 module (Preview versions 2.0.6-PreviewX) contains REST API backed versions of all Exchange Online cmdlets that don't require Basic authentication in WinRM. For more information, see Updates for version 3.0.0.

Exchange Web Services (EWS)

Many applications have been created using EWS for access to mailbox and calendar data.

In 2018, we announced that Exchange Web Services would no longer receive feature updates and we recommended that application developers switch to using Microsoft Graph. See Upcoming changes to Exchange Web Services (EWS) API for Office 365.

Many applications have successfully moved to Graph, but for those applications that haven't, it's noteworthy that EWS already fully supports Modern authentication. So if you can't migrate to Graph yet, you can switch to using Modern authentication with EWS, knowing that EWS will eventually be deprecated.

To learn more, see:

Outlook, MAPI, RPC, and Offline Address Book (OAB)

All versions of Outlook for Windows since 2016 have Modern authentication enabled by default, so it's likely that you're already using Modern authentication. Outlook Anywhere (formerly known as RPC over HTTP) has been deprecated in Exchange Online in favor of MAPI over HTTP. Outlook for Windows uses MAPI over HTTP, EWS, and OAB to access mail, set free/busy and out of office, and download the Offline Address Book. All of these protocols support Modern authentication.

Outlook 2007 or Outlook 2010 cannot use Modern authentication, and will eventually be unable to connect. Outlook 2013 requires a setting to enable Modern authentication, but once you configure the setting, Outlook 2013 can use Modern authentication with no issues. As announced earlier here, Outlook 2013 requires a minimum update level to connect to Exchange Online. See: New minimum Outlook for Windows version requirements for Microsoft 365.

Outlook for Mac supports Modern Authentication.

For more information about Modern authentication support in Office, see How modern authentication works for Office client apps.

If you need to migrate Public Folders to Exchange online, see Public Folder Migration Scripts with Modern Authentication Support.

Autodiscover

In November 2022 we announced we would disable basic authentication for the Autodiscover protocol once EAS and EWS are disabled in a tenant.

Client options

Some of the options available for each of the impacted protocols are listed below.

Protocol recommendation

For Exchange Web Services (EWS), Remote PowerShell (RPS), POP and IMAP, and Exchange ActiveSync (EAS):

  • If you have written your own code using these protocols, update your code to use OAuth 2.0 instead of Basic Authentication, or migrate to a newer protocol (Graph API).
  • If you or your users are using a 3rd party application which uses these protocols, reach out to the 3rd party app developer who supplied this application to update it to support OAuth 2.0 authentication or assist your users to switch to an application that's built using OAuth 2.0.
Key Protocol Service Impacted Clients Client Specific Recommendation Special Recommendation for Office 365 Operated by 21Vianet (Gallatin) Other Protocol Info / Notes
Outlook All versions of Outlook for Windows and Mac
  • Upgrade to Outlook 2013 or later for Windows and Outlook 2016 or later for Mac
  • If you are using Outlook 2013 for Windows, turn on modern auth through the registry key
Enabling Modern Auth for Outlook – How Hard Can It Be?
Exchange Web Services (EWS) Third-party applications not supporting OAuth
  • Modify app to use modern auth.
  • Migrate app to use Graph API and modern auth.

Popular Apps:

Follow this article to migrate your customized Gallatin application to use EWS with OAuth

Microsoft Teams and Cisco Unity not currently available in Gallatin
What to do with EWS Managed API PowerShell scripts that use Basic Authentication
  • No EWS feature updates starting July 2018
  • Remote PowerShell (RPS) Use either: Azure Cloud Shell is not available in Gallatin Learn more about Automation and certificate-based authentication support for the Exchange Online PowerShell module and Understanding the Different Versions of Exchange Online PowerShell Modules and Basic Auth.
    POP and IMAP Third party mobile clients such as Thunderbird first party clients configured to use POP or IMAP Recommendations:
    • Move away from these protocols as they don't enable full features.
    • Move to OAuth 2.0 for POP/IMAP when your client app supports it.
    Follow this article to configure POP and IMAP with OAuth in Gallatin with sample code IMAP is popular for Linux and education customers. OAuth 2.0 support started rolling out in April 2020.

    Authenticate an IMAP, POP, or SMTP connection using OAuth
    Exchange ActiveSync (EAS) Mobile email clients from Apple, Samsung etc.
    • Move to Outlook for iOS and Android or another mobile email app that supports Modern Auth
    • Update the app settings if it can do OAuth but the device is still using Basic
    • Switch to Outlook on the web or another mobile browser app that supports modern auth.

    Popular Apps:

    • Apple iPhone/iPad/macOS: All up to date iOS/macOS devices are capable of using modern authentication, just remove and add back the account.
    • Microsoft Windows 10 Mail client: Remove and add back the account, choosing Office 365 as the account type
  • Apple's native mail app on iOS does not currently work in Gallatin, we recommend you use Outlook mobile
  • Windows 10/11 Mail app is not supported with Gallatin
  • Follow this article to configure EAS with OAuth and sample code
  • Mobile devices that use a native app to connect to Exchange Online generally use this protocol.
    Autodiscover EWS and EAS apps using Autodiscover to find service endpoints
    • Upgrade code/app to one supporting OAuth
    Autodiscover web service reference for Exchange

    Resources

    To learn more, check out the following articles:

    Security Defaults:

    Exchange Online Authentication Policies:

    Microsoft Entra Conditional Access: