In early January 2023, we will permanently turn off Basic auth for multiple protocols for many Exchange Online tenants.
We want to thank you once again for all the hard work you’ve done to prepare ...
Updated Jan 01, 2023
Version 3.0
Blog Post
Warning: Rant ahead, but also giving my work-around (this Python OAuth proxy: https://github.com/simonrob/email-oauth2-proxy.) in case helps anyone else.
I knew this was coming for ages (and even put in the last-minute extension that was offered towards the end of 2022). Today was the day that the tenant that I primary manage got the gauntlet thrown down and basic auth off for good. As I am terrible about checking message center and even message center email notifications get "eaten alive" in my mailbox, the way I discovered this was that I stopped getting helpdesk emails today.
There are apps out there that have no plans to add OAuth support anytime soon (and plenty of legacy apps that we can't get rid of that will NEVER get OAuth authentication support added).
Yes, I completely take responsibility for not dealing with this sooner (I had PLENTY of warnings), but gosh darn it, it just irritates me to no end that Microsoft can't allow us to specifically allow basic auth for specific mailboxes (or even, not what I would really want, but would let me get by, is if, as others have suggested, why not allow us to IP whitelist (even if at the mailbox level). I am fine requiring OAuth for all end-users, but Microsoft, WHY COULDN'T YOU PLEASE let us admins have a way to continue to manually enable basic auth on a mailbox level?!?!?!?!?!?!?
Again, I take total responsibility, but man, many of us don't have large IT teams and have to wear many hats, and dealing with this again, just stinks, as I've had to drop quite a few hours from other projects that have really also needed my attention (Network-Systems Admin for 3 small school districts, you get to wear many hats, and short staffed to start with, and then losing a major tech staff member, it's hard to keep sane and to decide which ship to keep from sinking each week.
Also, not the Exchange team's call, but would be nice to talk with the Outlook team to see if any chance they might at OAuth2 authentication support to POP, IMAP, and SMTP connections to Exchange? (Though not every-day user use cases, there are indeed use cases where IMAP or POP are still appropriate connection methods)
Apologies, rant mode off....
The work-around that I did figure out and (thankfully) got tested last November with the help a tech assistant was to use a Python OAuth proxy. https://github.com/simonrob/email-oauth2-proxy.
As, I've unfortunately never done much with Python up to this point, I haven't had the time to figure out how to run this script in non-GUI mode, as a service, and how to shrink it's Python footprint. So, for time being, I'm remoting into our helpdesk server upon each server reboot to verify that the proxy is running and functioning. But, as of this evening, the proxy is working and our helpdesk system can again access and is processing incoming ticket emails!
And, as much as I may strongly disagree with the specifics of these authentication policy changes, I do appreciate everything the Exchange and other Microsoft Azure and other teams members do. It's not an easy task supporting a workload of millions of daily users and workloads but they do it!