Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
We previously an...
Updated Sep 01, 2022
Version 3.0
Blog Post
Whereas I normally harp on the The_Exchange_Team and have griped in the comments of many announcements, ironically I like this announcement quite a bit. It's going to do a few things that many customers and partners will come to appreciate:
- The automatic disablement by Microsoft, along with the Message Center notifications, is going to let customers most-easily determine their dependency on Basic/legacy authentication.
- It'll also just 'take care of it for you' for customers with no dependency on Basic/legacy, but who aren't ready to enable Security Defaults.
- Give Microsoft more time to develop finer-grained RBAC-like controls for Azure AD/OAuth applications. Right now, particularly for unattended use cases, but even still for semi-interactive/delegated use cases, these applications are difficult to lock down properly. There are only about 12 MS Graph API permissions which can be scoped to individual mailboxes (actually to a mail-enabled security group, via application access policies).
- Give everyone who needs it more time to learn the new approach (i.e. OAuth grant types, which there are several, each with their own pro's and con's for the many scenarios they could cover).
So, glad to see this one, and thanks. A current state on this grey area is something everyone will appreciate.