Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
It’s been a few ...
Updated Sep 01, 2022
Version 7.0
Blog Post
Greg Taylor - EXCHANGE
Microsoft
MicrosoftBusy past 24 hours here. Great to see so much interest and activity. I'll take a go at answering those I can.
Alex Chacko - I suggest taking a look at the traffic using Fiddler and really see what's going on. MA being enabled doesn't mean it's being used. Outlook and Lync might need some reg key or other settings to make that switch.
WightKnight1119 - the change to make this report free to all is coming very soon I hope. Anyone with P1/2 can see it now, anyone without will have to wait a little.
ukchri2 - If we host your mail (which BT re-sell to you), you will be affected. You should reach out to BT support and point them at this blog, but same advice applies as to anyone else - if you want to keep using POP3, you'll need to use an OAuth capable POP3 client.
ZoltanLehoczky - we are still rolling it out, so it might be that it didn't get to your tenant yet. We have a lot of servers to roll these changes to. A lot.
RafalLukawiecki a few points (and I see others have helped answer your questions too - thank you for those that did);
- Access to the report does not require you buy Azure Premium - it will show up for you, for free, very soon. As it says clearly in the blog.
- The steps are complex, regardless of your org size. As we said in the blog we know we have work to do to make it easier to use, but if we waited for that alone, it could be weeks (or more) more.
- iOS devices are great. I use iPhone, iPad and a watch - but the native mail app isn't as good as Outlook imho. But if you want to use it - you can, as it supports Modern Auth. So there's no issue. You use your client, I'll use mine. I'll get more done, but that's me.
- Let's agree to disagree.
- Again, if you want to keep using modern Apple devices, they will work just fine. I think you need to re-read some of the blog and the comments. It's actually pretty clear that native apps on modern iOS devices will work just fine.
- We don't just care about Enterprise customers, I really don't get why you would say that. I think you need to read the details in the blog.
Anthony Cotton - Support should know but we'll keep reminding them. There's a lot of change for them to keep up with, for all of us. CBAinProd is an internal bit that essentially means EXO asked Azure AD to auth the user - the auth attempt is proxied from EXO to AAD with Basic. In OAuth the client is redirected. Essentially CBAinProd is not useful for you, other than it says 'Basic was used here'. It's nothing to worry about.
You also seem to have some funky connections there. The reporting isn't at all perfect, we know, and we're working on making the filtering far more intuitive. Thanks for the feedback. Disabling legacy shouldn't be required for new Macs to use MA - open a support ticket, let's have a look at that. Your last question about controlling which users can do what - Auth Policies and Conditional Access. See if that does the job.
Sankarasubramanian Parameswaran - #3 - if the reg key isn't present the client uses Basic. There's no error. Unless you disable Basic, in which case the client won't connect. #4 - if you switch users from Basic to Modern, they will have to authenticate, then the tokens are cached and they won't need to auth for some time. typically. #5 - no idea what that means. And not sure what you mean in your following question about POP and IMAP - but POP/IMAP don't include app ID in the protocol. You can see the user who is using POP/IMAP - go ask them.
EugeneYa - it's still rolling out. Patience please. (thanks ph_ly for answering that. Can you tell I'm scrolling...)
t-rev Glad it seems to be working again, Azure must have put more food in the hamster cage.
SaschaSeipp - yes, it's a bit weird that IMAP doing Modern Auth won't show as 'IMAP' - we'll try and fix that in the future.
Jason_Gunthorpe - The docs are nearly ready. We just need the scope changes to light up in prod too, then we'll release what you need.
securityDM - If you have disabled Basic, yet users are still connecting - then it might be caching - give it some time. it's not instant.
Feed-iowa - The report will be free to all once the roll out completes. Then you can see for yourself what is being used.
joel_shafer - what is a personal account? Modern Auth works great for EWS for O365 accounts. If you mean an MSA, not an O365 - then you are correct, and nor will it.
nmyfs - the answer to your question is in about 15 different replies, and in the blog itself. Happy hunting.
joshuaholcomb - If MA is disabled at the tenant then no Outlook for Windows client can do MA. EAS and Mac Outlook can and will though, they ignore the org wide setting.
SusanBradleyGeek - a good life lesson and PSA.
I'm off to have a lie down now.