Basic Authentication Deprecation in Exchange Online – Time’s Up

Platinum Contributor

Dec 20, 2022

In early January 2023, we will permanently turn off Basic auth for multiple protocols for many Exchange Online tenants.

We want to thank you once again for all the hard work you’ve done to prepare your tenant and users for this change, and for your part in helping secure our service and your data.

How Will This Change Happen

Beginning in early January, we will send Message Center posts to affected tenants about 7 days before we make the configuration change to permanently disable Basic auth use for protocols in scope (we are still not touching SMTP, but you should).

Soon after basic auth is permanently disabled, any clients or apps connecting using Basic auth to one of the affected protocols will receive a bad username/password/HTTP 401 error.

The only remediation for this is to update the client or app or use a different client or app that supports Modern authentication.

Frequently Asked Questions

Why are you making this change?
We’re making this change to protect your tenant and data from the increasing risks associated with Basic auth. The reasons to do this are many.

Wait! I still need to use Basic auth; how can I get it re-enabled in my tenant once it gets disabled in January?
You cannot; it has been permanently disabled. Calling support will not help either, as they cannot re-enable Basic auth for you.

Basic auth got disabled and my email client keeps prompting me for a password…do you have any guidance for me?
Read our blog post: Exchange Online email applications stopped signing in, or keep asking for passwords? Start here.

Where can I read more about this?
You can read our official documentation here.

What happened to the basic authentication self-service re-enablement diagnostic in Microsoft 365 admin center?
Starting in January 2023, we have removed the diagnostic that you could use to re-enable basic authentication in your tenant because we are starting to permanently disable basic authentication in Exchange Online.

Summary

It’s taken more than three years to reach this point, and we know it has taken a lot of effort from customers, partners and developers too. Thank you to everyone who has played their part in helping secure our customers’ data and tenants. Together, we’ve improved security!

The Exchange Team

Updated Jan 01, 2023

Version 3.0

Platinum Contributor

Joined April 19, 2019

View Profile

Exchange Team Blog

You Had Me at EHLO.

79 Comments

Greg Taylor - EXCHANGE
Microsoft
Jan 03, 2023
Hifni Nazeer - we're not disabling basic for SMTP AUTH just yet, you can keep using basic for the time being.

Mahesh15 - time is up. We will be disabling basic for POP and IMAP (and more) in January.

madmax786 - somewhat correct - you'll get a 7-day warning. So if you haven't had one yet, you still have (at least) 7 days.
madmax786
Copper Contributor
Dec 31, 2022
So reading between the lines, there will be 7 days grace ... so shutdown will be from 7 January not 1 January? I inherited a system I am in the process of moving to use OAuth2 ... do I have 7 more days or not (at least, depending on when we are going to be notified?). And I agree with Eric Twilegar ... not everyone had 3 years ... sanctimonious comments from some ppl is not helping.
Mahesh15
Copper Contributor
Dec 31, 2022
Hi everyone,

Just had one query we are using office 365 for email functionalities and using smpt , IMAP and POP3 in our application and scripts what will be the timeline for disabling basic auth as I see recent dates it's something around 1 March 2023 . Is there option to avoid this disablement of basic auth for impacted protocol till migration with modern authentication techniques ?
Eric Twilegar
Copper Contributor
Dec 29, 2022
This isn't about letting people know. People are using legacy apps that might not be getting many updates. I paid for a product that had this and then someone just decided to take it. I didn't actually find out about it because my IT department was you know gutted by Covid and I don't read MS press releases. If you don't want it for your account go for it, but don't force it on me because you think oauth is so great. I don't really think oauth 2.0 is a huge improvement and setting it up is cumbersome to say the least. I'd rather seen IP whitelisting and other real security vs trying to fix everything with ever more complicated keys. So you have the key and you are in Russia you can still get in? What the heck are we all smoking.

We are going to workaround this with a proxy etc, but honestly I just wish there where real alternatives to Exchange in that corporate America would consider, because this is what monoplistic behavior looks like.
Hifni Nazeer
Copper Contributor
Dec 29, 2022
System.Net.Mail.SmtpClient is deprecated, Legacy Applications don't support modern authentication, MailKit doesn't support confidential client authentication; what more solutions do we have to send an email?
Nino_Bilic
Microsoft
Dec 22, 2022
itkpli To be clear - we are not deprecating protocols, we are deprecating using various protocols with basic auth.
itkpli
Brass Contributor
Dec 21, 2022
Finally! A real milestone!
The old legacy protocols is overdue for deprecation…
RMiller1988
Copper Contributor
Dec 21, 2022
This will make enabling multi-factor authentication a lot easier by forcing all sign-ins using modern auth and MFA in turn will make phishing attempts less effective.

https://betterlicenses.com/audit_log, it will give you a quick idea if you still have users on basic auth and how many (might be helpful).

Thanks to Microsoft for making email a lot more secure
Arian_van_der_Pijl
Iron Contributor
Dec 20, 2022
You gave people enough time as awareness for this change. No more delay, let it happen 😈. Damned if you do dammed if you don’t.

Blog Post

Basic Authentication Deprecation in Exchange Online – Time’s Up