Blog Post

Exchange Team Blog
5 MIN READ

Basic Authentication Deprecation in Exchange Online – September 2022 Update

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Sep 01, 2022
One month from today, we’re going to start to turn off basic auth for specific protocols in Exchange Online for customers who use them. Since our first announcement nearly three years ago, we’ve se...
Updated Jan 01, 2023
Version 16.0
announcements
exchange online
security
LoopEndle's avatar
LoopEndle
Copper Contributor
Sep 05, 2022

Hello The_Exchange_Team -- My company uses Exchange Online. This update is causing me some confusion. 

 

A few  of our email accounts (5 or 6)  accept machine-to-machine electronic documents. These emails are transmitted over SMTPS. Once spooled, emails are retrieved by third-party middleware running from inside our network. The middleware uses IMAP over TLS and Basic Authentication (username/password) credentials to retrieve emails. But our middleware does not support OAuth2 yet. So we need still Basic Authentication for these few email accounts that receive and process machine-to-machine documents. 2FA isn't applicable here since it's machine-to-machine communication. But the entire document transmission chain is encrypted (SMTPS followed by IMAP over TLS). The means common attacks (like password-spraying) will not work against a limited set of accounts with strong passwords. 

 

We opened a Microsoft support case seeking clarification on Basic Auth retirement ( [Case #:31747343] - Deprecation of Basic authentication in Exchange Online ). On July 7 2022, we were advised in the ticket that manual enabling  of Basic Authentication would allow us to use Basic Authentication indefinitely:


We asked : 
We can keep using basic authentication for IMAP for any existing mailbox and newly created mailbox after 1/10/2022. Is that correct? Please confirm? 

 

We got this response from Microsoft: 
Yes, you can enable the IMAP protocols after basic authentication has been depreciated.

 

The ticket ended with the understanding that our organisation could continue using IMAP with Basic Authentication indefinitely for new and current mailboxes before and after 1 Oct. We just needed to execute the manual reconfiguration procedure documented in https://protect-au.mimecast.com/s/yv9vCMwGLzcD4K7OhkIwYt?domain=nam06.safelinks.protection.outlook.com("When you click the button, you enter our self-help system. Here you can enter the magic phrase “Diag: Enable Basic Auth in EXO”"). This was good news. We do not need IMAP Basic Authentication forever -- just till next year, when we can upgrade our middleware to IMAP with OAuth 2.0. 

 

But in this 'September update' I read: "During the first week of calendar year 2023, those protocols will be disabled for basic auth usepermanently, and there will be no possibility of using basic auth after that."

 

Does this announcement kill our plans to keep Basic Authentication enabled next year for our five or six accounts that require it? How can I reconcile this with what Microsoft told me in the support ticket? Can you help me please?