Basic Authentication and Exchange Online – April 2020 Update
Published Apr 03 2020 09:00 AM 334K Views

Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.

Last year we announced changes to make Exchange Online more secure, and earlier this year we provided some updates on progress.

In response to the COVID-19 crisis and knowing that priorities have changed for many of our customers we have decided to postpone disabling Basic Authentication in Exchange Online for those tenants still actively using it until the second half of 2021. We will provide a more precise date when we have a better understanding of the impact of the situation.

We will continue to disable Basic Authentication for newly created tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020. And of course you can start blocking legacy authentication today, you don’t need us to do anything if you want to get started (and you should).

We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities. We will publish more details on these as we make progress.

Update: For more news on OAUTH support for IMAP and SMTP go here and for POP, go here.

We still intend to move our customers away from Basic Authentication as we still very strongly believe improving security in Exchange Online benefits all of us, and so we’ll announce more accurate timelines for disabling Basic Authentication for tenants with usage at a later date.

 

The Exchange Team

67 Comments
Copper Contributor

Will this extend compatibility with Outlook 2010?

Copper Contributor
Can you provide a timeframe for when you will publish an updated API for PowerShell? I am looking for unattended authentication from PowerShell to query mailboxes and devices in an O365 tenant.
Can you provide us with your interim progress, so we know what to anticipate once it is officially published?
 
This update is nice for customers with simple needs, but the deadline hasn't changed for those of us that need to support both new and existing customers.
Brass Contributor

Any updates on the PowerShell certificate based authentication (CBA)?

@ ND_Armand
Office 365 service connectivity support end dates - As of October 13, 2020, connectivity support to Office 365 services (e.g. Exchange
Online, SharePoint Online, OneDrive) will require Office 365 ProPlus or nonsubscription versions of Office in mainstream support. 
See this: View related timelines on the Office system requirements matrix

Not only will Outlook 2010 be EOS, but so will Outlook 2013.

Steel Contributor

An API alternative  to access the reporting web service (eg. To pull messagetrace information) would be also pretty important. (The current api supports only basic auth).

 

Powershell is no solution for us.

 

Thank you

Copper Contributor

What about the Surface Hub?

Microsoft docs mentioning to create a device account with active-sync authentication.

@The_Exchange_Team  would be nice to see an alternative for this use case.

 

Source: https://docs.microsoft.com/en-us/surface-hub/create-a-device-account-using-office-365

Microsoft

Is there any ETA for IMAP documentation? 
Thanks. 

Microsoft Dynamics 365 Business Central (latest 2020 wave 1 - v16) - still does support only SMTP using basic auth :(
This is simple and basic functionality, and event Microsoft products does not support it well...

Hoping to resolve this...

Copper Contributor

Can you clarify that old and new (created after Oct 2020) customers will be able to use password authentication with IMAP until the second half of 2021 or only existing customers currently using it will be able to keep it until then. Does "we have decided to postpone disabling Basic Authentication in Exchange Online for those tenants still actively using it" mean you will remove it from a customer you think doesn't need it and they will have no way to reenable it?

Copper Contributor

Will this affect our MFP machines that scan to email?  They use smtp.office365.com with SMTP Auth (TLS 1.2).

@Dave_Watson and @victorguo  - Check out our PowerShell v2 Module - that's where all of that will be done. https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-admin-improvements-announced-at-m...

We have a blog in the works for an update on that. 

@Joshua_BAnnon - as the blog says "We will publish more details on these as we make progress."

@hkusulja and @Winston310  - SMTP isn't part of this change. Look for separate info on that. Very soon (tomorrow)

@jkemp101 - if we disable it for a customer without signs of usage before the final cut off date, they will be able to re-enable it. Up until the final cut off date. 

 

Copper Contributor

@Dave_Watson, I've just started using the Exchange Online PowerShell V2 Module for my on-premise scheduled scripts in order to use Oauth.  I use a service account without MFA so a password hash file can be used, and there's no additional MFA prompt.  Once connected you can go about your business with Exchange as normal.  This blog provides steps: https://o365reports.com/2019/12/11/connect-exchange-online-powershell-without-basic-authentication/

Copper Contributor

Can we have clarification on the endpoints to which this pertains? EWS? PowerShell? All currently Basic Auth available endpoints?

Copper Contributor

Question: We use SMTP Relay via IIS 6 (via Windows 2012 R2) as we have programs/devices that's outright incompatible with outlook 365's SMTP requirements.

 

Only option I got with this relay to connect to is Basic Authentication or Integrated Windows Authentication, will this be affected? and if so, any ideas on the work around/resolution to this?

 

 

Copper Contributor

@Greg Taylor - EXCHANGE So my understanding is that new O365 customers created after October 2020 will have to use OAuth for IMAP because MS will/could disable Basic Authentication and they will not be able to re-enable it. Which means for SaaS companies that provide integrations to O365, they will have to support OAuth by the original October 2020 deadline if they want to be able to support their customers that might have signed up with O365 after October 2020. Does this sound correct? Moving the deadline to 2021 is really just going to help existing customers that are currently using IMAP but integrators still need to meet the Oct 2020 deadline to ensure our systems work with all O365 customers after that deadline.

 

Edit: I misread Greg's response. Looks like we are good until 2021. Thanks @Greg Taylor - EXCHANGE 

@bernardjclark - read the previous blog posts for more info. 

@amcintosh - again, that's SMTP. Look for a post later today about SMTP. 

@jkemp101 - read my previous comment again. We won't fully turn off Basic until the new (date TBD) date arrives. Which is in 2021. Integrators have until the second half of 2021. For new tenants created in which Basic is disabled, the admin will need to enable it if their integrator's solution still uses Basic. 

Copper Contributor

@Greg Taylor - EXCHANGE - I wanted to verify that was still true - that both EWS and PowerShell using Basic Auth will continue to work until 2021H2. I'd also like to confirm that newly created tenants will also have the option to programmatically enable Basic Authentication on EWS and PowerShell endpoints until 2021H2.

@bernardjclark yes, that's correct. 

Copper Contributor

We have automated processes that poll IMAP and POP3.  We use both third-party libraries, MAPI, and Outlook 2013 interop for this.  We cannot upgrade Outlook part soon.  I read here that modern auth can be enabled in Outlook 2013 by adding registry keys.  Is that enough for interops too?  For the third-party library part, I am thinking about using another library that supports modern auth.  But if we can use a common solution (ie certificate auth), I prefer that.  How does the certificate-based auth work?  Can it be used for both outlook and third party libraries and MAPI?      

Copper Contributor

@Greg Taylor - EXCHANGE  @The_Exchange_Team    Please, any update on the documentation for  using IMAP with Oauth2 authentication.

Brass Contributor

@The_Exchange_Teamwe have asked the question and there is no update. what will bbe the impact to pop3 and imap application if the vendor does not released the fix and we are planning to enable modern authentication

Copper Contributor

@The_Exchange_Team does MAPI and Outlook 2013 support certificate-based authentication?  If I am using a third-party library to read IMAP and POP3 email boxes, how to use certificate-based auth?  Is there any tutorial, etc.?  Could you please help?

Copper Contributor

@mbromb, Thank you this is helpful!

 

@Greg Taylor - EXCHANGE, Thank you for this. What was not previously apparent to me is that the new "Connect-ExchangeOnline" call will still support passing in a PSCredential, and this authentication is not considered Basic Auth, but is considered Modern Auth. Thanks!

Copper Contributor

@Greg Taylor - EXCHANGE Just wanted to double-check: Can you verify EWS itself for Office365 will continue to be available for the foreseeable future (at least until second half of 2021) and will not change any behavior? I'm working on moving a custom integration from EWS to Graph API. I wanted to know exactly how much time I have to complete that transition. Thanks!

@office36578_rocks  - enabling MA doesn't disable POP and IMAP Basic. 

@nej_2020 - MAPI in that way does not support CBA. You need to switch to Graph. 

@Dave_Watson - great!

@drehner - EWS is included as a part of this announcement. 

 

Copper Contributor

Currently using POP3 for reading microsoft mail account mails in my application. How long POP3 access will be available.

Kindly advise, which approach we can choose the un interrupted services. 

Copper Contributor

Guess I need to read the docs further, but when turning on MFA, there are 2 well known issues, well 1, 2 is a bit more remote in nature.  First, conneting to powershell is a complete fiasco that continually requires reauthentication to some random servers in Germany or something whacky.  For those that have your admin with MFA enabled, you know what I'm talking about, it times out and requires re-authorization often, things just don't work.  This is all over on blogs.  Next, if you happen to be a Skype for Business customer, use a 3rd party hosting company for this, and use Polycom phone with Skype firmware, when you enable MFA, your phone can talk to your Skype server AND the O365 Exchange tenant.  It is a flaw in the Polycom firmware they won't fix.  So, what you get is a constant error, the phone won't connect properly, or it has a red exclamation mark on the top of the screen.  The phone still works, but the split authentication due to MFA, and Polycom, which they refuse to fix the issue, never buying a Polycom phone again BTW, their dev teams refuse to resolve known issues and if they do, it takes them 6mo to a year...anyway, just going out and buying new $500 phones per person isn't an option.  I've tested Yealink T58 phones, they have no problem with this setup.  But, the fix is replacing all phones, or, moving entirely to O365 Skype/Teams for telephony, which is surely what MS wants to happen. Not opposed to this..but now we have a big problem if enhanced security and something as simple as MFA is enabled how it can mess up the organization.  None the less, a bunch of 3rd party apps.  So, at least thanks for now to leaving this thing disabled until we can migrate or get new phones, which during these times, good luck asking for $20K from your CFO for some phone or more depending on your user account.  Thanks

Copper Contributor

@Greg Taylor - EXCHANGE what is the ETA for rolling out OAuth support for IMAP?

 

Thanks.

Copper Contributor

what is the ETA for rolling out OAuth support for POP3

 

 

 

Copper Contributor

Hello,

Could you please explain, what types of authentication will be blocked in result?

Does it only affect Basic Authentication type? Or will you block any authentication type which uses just username and password for auth (like Digest auth)?

I tried to find the answer in different articles, but I see only designations "Basic authentication" and "Modern authentication".

 

Thanks in advance for your answers.

Copper Contributor

Currently using POP3 for reading microsoft mail account mails in my application. How long POP3 access will be available.

Kindly advise, which approach we can choose the un interrupted services. 

 

Thanks

Brass Contributor

Is there any way to look into sign in logging (Azure AD) to tell if someone is using modern auth while using the active sync protocol.     From my observations the user agent string has a lot more information in it - would this be a method?     Thanks in advance

Copper Contributor

Hi,

 

Can you please give some more insight about what exactly gets blocked? 

 

If I read the following document, can I assume that AllowBasicAuth* is in scope for all protocols as mentioned in the following article?

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

 

/Kenneth

Copper Contributor

I have a pretty good idea why only 9% of companies have turned off legacy auth and IMHO the slow uptake has nothing to do with Android or iPhone (use Outlook for Android/iOS), organizations holding on to Outlook 10 or some of the other justifications in the forums. I'm all-in and ready to "flip the switch" to make our Exchange Online only tenant (E1) 100% modern auth.  The problem is after reading through a half dozen "the sky is falling--turn off legacy auth or perish!!!!" articles on the techcommunity I still can't find any guidance for actually doing it. Several articles and Identity Secure Score makes the recommendation "Enable policy to block legacy authentication" which would be great if I want to purchase Azure AD Premium P1 (or EM+S or M365) for all my users in order to use Conditional Access. I know AADP1 is great, but I don't have that budget. (BTW, the block legacy authentication policy has been deprecated anyways, so thanks for that.)  Why is there not simply a way to let the administrator disable legacy auth from the Exchange Online (or Azure AD) portal? If you REALLY cared about getting everyone off of legacy auth why isn't "Turn off legacy authentication" a high impact Identity Secure Score choice? The administrator opens it, flips the bit and their tenant is secure.  Either make it simpler to enable or stop pleading for us to make the change but requiring AADP1 subscriptions to make it possible. 

Copper Contributor

I have a question about the documented automatic reauthentication of Outlook, if you enabled OAuth for Exchange.

We had an old tenant where we had to activate this, and the outlook clients still use basic auth with this tenant.

Maybe that's because the primary Outlook mail account is in a different tenant, that already use OAuth.

How can I force outlook clients to re-auth to switch to OAuth for all mail accounts where possible?

Brass Contributor

@Kent Compton  oh my gosh, I had not realized the block legacy authentication policy had been deprecated.   We were using that as well as the "Require MFA for admins" conditional policy.  (Using standard Azure Active Directory, not Premium)   I know they came out with Security defaults however, as mentioned in the Microsoft documentation "Security defaults are great for some but many organizations need more flexibility than they offer. For example, many organizations need the ability to exclude specific accounts like their emergency access or break-glass administration accounts from Conditional Access policies requiring multi-factor authentication."  And, in fact, having that emergency access account that does not require MFA is actually recommended, again, by Microsoft itself! 

 

I looked back through the messages in Message Center, and did not find an announcement about deprecating those policies for the non-premium AAD clients.  So that was a surprise.  I guess I have to figure out how this affects us.  

 

That's a huge thing to just take away!  Glad you mentioned that!

 

Copper Contributor

@Kent Compton while there is no GUI, Microsoft has a good document on disabling via PowerShell.

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

Copper Contributor

 

@The_Exchange_Team 

@Greg Taylor - EXCHANGE 

 

We did a POC against Outlook API (https://outlook.office365.com) with OAuth and it works fine.  Is it mandatory to switch to Graph API in the future for this to continue to work or can we stick to Outlook API?

 

 

@nej_2020 - Outlook REST is an older generation API, without any planned feature additions. We strongly recommend that developers use Graph API over Outlook REST if they can. 

Copper Contributor

@The_Exchange_Team 

@Greg Taylor - EXCHANGE 

 

Thanks for the reply.  The OAuth flow for Graph API I was able to find was using Auth Code flow, which is not suitable for us because we want to read emails from background processes.  Could you please point me to some examples that use Client Credentials flow used with Graph API (preferably C# SDK based examples)?

@nej_2020 - we're working on that scenario/flow still. Nothing I can share yet. 

Copper Contributor

@Greg Taylor - EXCHANGE 

Would this affect EWS (Basic Auth) in October 2020? Will it continue to work because Basic Auth won't be disabled until 2021? I think this article needs to be updated if that's the case: https://techcommunity.microsoft.com/t5/exchange-team-blog/upcoming-changes-to-exchange-web-services-...

 

 

@Arjun Tank - thanks for pointing that out. I just added a note to that article. EWS joins the other protocols we're planning to retire in the second half of calendar year 2021. 

Copper Contributor

Hi Community,

1) What do you consider to be an active tenant - postpone disabling Basic Authentication in Exchange Online for those tenants still actively using it until the second half of 2021?

2) Please help me understand this part - begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020? What do you mean with no recorded usage starting October 2020 - until when?

 

Can you please tell how above could affect us, assuming e.g. that we are using service user account and its mailbox (office365) for Jira Service Desk mail channel functionality, and it can happen that this channel is not used that often - would this mean that Microsoft can disable Basic Authentication in tenants that have no recorded usage starting October 2020? Saying that we do not upgrade Jira and start using OAuth support for POP at that time...

 

Thanks in advance! :)

Hey @Bojana_Vasic;

 

1. Active tenants are ones with at-least one mailbox per month using Basic Authentication for the specific protocol. 

2. No recorded usage indicates that Basic Authentication was not used for a mailbox for the last x months 

 

x is still being determined. Think 1 - 2 months. That's the current thinking. Feedback always welcome.  

Copper Contributor

Thanks a lot for the clarification @Greg Taylor - EXCHANGE.

Does the same apply for MFA as for the Basic Authentication for the specific protocol?

 

Many thanks again! :)

 

Not sure I get the question as MFA!=Basic, but if it's using Basic, it's using Basic. 

Brass Contributor

@Bojana_Vasic

If you are using multi-factor authentication, that implies you are already using modern authentication.  MFA is not possible through basic authentication protocols.  Basic authentication protocols allow for only user/password credentials (thus the insecurity!).  

 

Copper Contributor

Hi,

 

With regards to Microsoft ending the support for Basic Authentication access to exchange online API's for office 365 customers.

As per these articles:

1. https://developer.microsoft.com/en-us/office/blogs/end-of-support-for-basic-authentication-access-to...

2. https://redmondmag.com/articles/2020/04/03/basic-authentication-exchange-online.aspx

 

We have applications that are connecting to SMTP Servers (via smtp.office365.com port 995) and IMAP servers (outlook.office365.com port 993)

using .NET libraries such as :

1. System.Net.Mail from Microsoft. e.g. SMTPClient

2. MailKit.Net.Imap from MIT. e.g. IMAPClient

 

Does it mean that our applications will have to be migrated to OAuth 2.0?

 

 

Co-Authors
Version history
Last update:
‎Sep 01 2022 08:12 AM
Updated by: