Basic Authentication and Exchange Online – April 2020 Update

Microsoft

Apr 03, 2020

Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.

Last year we announced changes to make Exchange Online more secure, and earlier this year we provided some updates on progress.

In response to the COVID-19 crisis and knowing that priorities have changed for many of our customers we have decided to postpone disabling Basic Authentication in Exchange Online for those tenants still actively using it until the second half of 2021. We will provide a more precise date when we have a better understanding of the impact of the situation.

We will continue to disable Basic Authentication for newly created tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020. And of course you can start blocking legacy authentication today, you don’t need us to do anything if you want to get started (and you should).

We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities. We will publish more details on these as we make progress.

Update: For more news on OAUTH support for IMAP and SMTP go here and for POP, go here.

We still intend to move our customers away from Basic Authentication as we still very strongly believe improving security in Exchange Online benefits all of us, and so we’ll announce more accurate timelines for disabling Basic Authentication for tenants with usage at a later date.

The Exchange Team

Updated Sep 01, 2022

Version 7.0

Microsoft

Joined April 19, 2019

View Profile

Exchange Team Blog

You Had Me at EHLO.

ND_Armand
Copper Contributor
Apr 03, 2020
Will this extend compatibility with Outlook 2010?
Dave_Watson
Copper Contributor
Apr 03, 2020
Can you provide a timeframe for when you will publish an updated API for PowerShell? I am looking for unattended authentication from PowerShell to query mailboxes and devices in an O365 tenant.
Can you provide us with your interim progress, so we know what to anticipate once it is officially published?

This update is nice for customers with simple needs, but the deadline hasn't changed for those of us that need to support both new and existing customers.
victorguo
Brass Contributor
Apr 03, 2020
Any updates on the PowerShell certificate based authentication (CBA)?
Kent Compton
Copper Contributor
Jun 07, 2020
I have a pretty good idea why only 9% of companies have turned off legacy auth and IMHO the slow uptake has nothing to do with Android or iPhone (use Outlook for Android/iOS), organizations holding on to Outlook 10 or some of the other justifications in the forums. I'm all-in and ready to "flip the switch" to make our Exchange Online only tenant (E1) 100% modern auth. The problem is after reading through a half dozen "the sky is falling--turn off legacy auth or perish!!!!" articles on the techcommunity I still can't find any guidance for actually doing it. Several articles and Identity Secure Score makes the recommendation "Enable policy to block legacy authentication" which would be great if I want to purchase Azure AD Premium P1 (or EM+S or M365) for all my users in order to use Conditional Access. I know AADP1 is great, but I don't have that budget. (BTW, the block legacy authentication policy has been deprecated anyways, so thanks for that.) Why is there not simply a way to let the administrator disable legacy auth from the Exchange Online (or Azure AD) portal? If you REALLY cared about getting everyone off of legacy auth why isn't "Turn off legacy authentication" a high impact Identity Secure Score choice? The administrator opens it, flips the bit and their tenant is secure. Either make it simpler to enable or stop pleading for us to make the change but requiring AADP1 subscriptions to make it possible.
Pascal_Odermatt
Copper Contributor
Apr 06, 2020
What about the Surface Hub?
Microsoft docs mentioning to create a device account with active-sync authentication.
The_Exchange_Team would be nice to see an alternative for this use case.

Source: https://docs.microsoft.com/en-us/surface-hub/create-a-device-account-using-office-365
Joshua_BAnnon
Microsoft
Apr 06, 2020
Is there any ETA for IMAP documentation?
Thanks.
Winston310
Copper Contributor
Apr 08, 2020
Will this affect our MFP machines that scan to email? They use smtp.office365.com with SMTP Auth (TLS 1.2).
mbromb
Copper Contributor
Apr 08, 2020
Dave_Watson, I've just started using the Exchange Online PowerShell V2 Module for my on-premise scheduled scripts in order to use Oauth. I use a service account without MFA so a password hash file can be used, and there's no additional MFA prompt. Once connected you can go about your business with Exchange as normal. This blog provides steps: https://o365reports.com/2019/12/11/connect-exchange-online-powershell-without-basic-authentication/
ericnel
Microsoft
Apr 03, 2020
@ ND_Armand
Office 365 service connectivity support end dates - As of October 13, 2020, connectivity support to Office 365 services (e.g. Exchange
Online, SharePoint Online, OneDrive) will require Office 365 ProPlus or nonsubscription versions of Office in mainstream support.
See this: View related timelines on the Office system requirements matrix

Not only will Outlook 2010 be EOS, but so will Outlook 2013.
hkusulja
MVP
Apr 06, 2020
Microsoft Dynamics 365 Business Central (latest 2020 wave 1 - v16) - still does support only SMTP using basic auth 😞
This is simple and basic functionality, and event Microsoft products does not support it well...

Hoping to resolve this...

Blog Post

Basic Authentication and Exchange Online – April 2020 Update