%3CLINGO-SUB%20id%3D%22lingo-sub-2111904%22%20slang%3D%22en-US%22%3EBasic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111904%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20previously%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Eannounced%3C%2FA%3E%20we%20would%20begin%20to%20disable%20Basic%20Auth%20for%20five%20Exchange%20Online%20protocols%20in%20the%20second%20half%20of%202021.%20Due%20to%20the%20pandemic%20and%20the%20effect%20it%20has%20on%20priorities%20and%20work%20patterns%2C%20we%20are%20announcing%20some%20important%20changes%20to%20our%20plan%20to%20disable%20Basic%20Auth%20in%20Exchange%20Online.%20Please%20read%20this%20post%20carefully%2C%20as%20there%E2%80%99s%20a%20lot%20of%20detail.%3C%2FP%3E%0A%3CP%3EThe%20first%20change%20is%20that%20until%20further%20notice%2C%20we%20will%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20be%20disabling%20Basic%20Auth%20for%20any%20protocols%20that%20your%20tenant%20is%20%3CSTRONG%3E%3CEM%3Eusing%3C%2FEM%3E%3C%2FSTRONG%3E.%20When%20we%20resume%20this%20program%2C%20we%20will%20provide%20a%20minimum%20of%20twelve%20months%20notice%20before%20we%20block%20the%20use%20of%20Basic%20Auth%20on%20any%20protocol%20being%20used%20in%20your%20tenant.%3C%2FP%3E%0A%3CP%3EWe%20%3CSTRONG%3Ewill%3C%2FSTRONG%3E%20continue%20with%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-april-2020-update%2Fba-p%2F1275508%22%20target%3D%22_blank%22%3Eplan%3C%2FA%3E%20to%20%3CSTRONG%3Edisable%20Basic%20Auth%20for%20protocols%20that%20your%20tenant%20is%20%3CEM%3Enot%3C%2FEM%3E%20using%3C%2FSTRONG%3E.%20Many%20customers%20don%E2%80%99t%20know%20that%20unneeded%20legacy%20protocols%20remain%20enabled%20in%20their%20tenant%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESecurity%20Defaults%3C%2FA%3E%20takes%20care%20of%20this%20for%20newly%20created%20tenants%20now).%20We%20plan%20to%20disable%20Basic%20Auth%20for%20these%20unused%20protocols%20to%20prevent%20potential%20mis-use.%20We%20will%20do%20this%20based%20on%20examining%20recorded%20usage%20of%20these%20protocols%20by%20your%20tenant%2C%20and%20we%20will%20send%20Message%20Center%20posts%20providing%2030%20days%20notice%20of%20the%20change%20to%20your%20tenant.%20This%20work%20will%20begin%20in%20a%20few%20months.%3C%2FP%3E%0A%3CP%3EThe%20next%20change%20to%20the%20previously%20announced%20plan%20is%20that%20we%20are%20adding%20MAPI%2C%20RPC%2C%20and%20Offline%20Address%20Book%20(OAB)%20to%20the%20protocols%20included%20in%20this%20effort%20to%20further%20enhance%20data%20protection.%3C%2FP%3E%0A%3CP%3EAs%20clarified%20in%20previous%20blogs%2C%20Outlook%20depends%20upon%20Exchange%20Web%20Services%20(EWS)%20for%20core%20features%3B%20therefore%2C%20tenants%20using%20Basic%20Auth%20with%20Outlook%20must%20enable%20Modern%20Auth%20before%20Basic%20Auth%20for%20EWS%20is%20disabled.%20Outlook%20uses%20only%20one%20type%20of%20authentication%20for%20all%20connections%20to%20a%20mailbox%2C%20so%20including%20these%20protocols%20should%20not%20adversely%20affect%20you.%20If%20EWS%20has%20Basic%20Auth%20disabled%2C%20Outlook%20won%E2%80%99t%20use%20Basic%20Auth%20for%20any%20of%20the%20other%20protocols%20or%20endpoints%20it%20needs%20to%20access.%3C%2FP%3E%0A%3CP%3EAt%20this%20time%2C%20we%20are%20not%20including%20AutoDiscover%2C%20another%20protocol%20and%20endpoint%20used%20by%20Outlook.%20There%20are%20two%20reasons%20for%20this.%20First%2C%20AutoDiscover%20doesn%E2%80%99t%20provide%20access%20to%20user%20data%3B%20it%20only%20provides%20a%20pointer%20to%20the%20endpoint%20that%20the%20client%20should%20use%20to%20access%20data.%20Second%2C%20as%20long%20as%20a%20tenant%20has%20some%20EWS%20or%20Exchange%20ActiveSync%20(EAS)%20usage%2C%20AutoDiscover%20is%20necessary%20for%20client%20configuration.%20Once%20Basic%20Auth%20is%20disabled%20for%20the%20vast%20majority%20of%20tenants%2C%20we%E2%80%99ll%20consider%20disabling%20Basic%20Auth%20for%20AutoDiscover.%3C%2FP%3E%0A%3CP%3EFinally%2C%20we%20are%20aligning%20our%20plans%20with%20those%20for%20SMTP%20AUTH.%20We%20had%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Epreviously%20announced%3C%2FA%3E%20that%20we%20would%20begin%20to%20disable%20SMTP%20AUTH%20for%20newly%20created%20tenants%20(and%20have%20already%20done%20so)%2C%20and%20that%20we%20would%20expand%20this%20to%20disable%20SMTP%20AUTH%20for%20tenants%20who%20do%20not%20use%20it.%20We%20are%20continuing%20to%20do%20that%2C%20but%20we%20will%20include%20SMTP%20AUTH%20in%20all%20future%20communications%20and%20Message%20Center%20posts%20to%20make%20it%20easier%20for%20you%20to%20track%20the%20overall%20plan.%3C%2FP%3E%0A%3CP%3EIn%20summary%2C%20we%20have%20postponed%20disabling%20Basic%20Auth%20for%20protocols%20in%20active%20use%20by%20your%20tenant%20until%20further%20notice%2C%20but%20we%20will%20continue%20to%20disable%20Basic%20Auth%20for%20any%20protocols%20you%20are%20not%20currently%20using.%20The%20overall%20scope%20of%20this%20change%20now%20covers%20EWS%2C%20EAS%2C%20POP%2C%20IMAP%2C%20Remote%20PowerShell%2C%20MAPI%2C%20RPC%2C%20SMTP%20AUTH%20and%20OAB.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--528000738%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%20id%3D%22toc-hId--526994411%22%3EHow%20Will%20I%20Know%20When%20My%20Tenant%20Is%20Affected%3F%3C%2FH2%3E%0A%3CP%3EWe%20will%20publish%20a%20major%20change%20Message%20Center%20post%20to%20your%20tenant%2030%20days%20prior%20to%20disabling%20Basic%20Auth%20for%20any%20protocols%20in%20your%20tenant.%20Major%20changes%20also%20trigger%20email%20notifications.%20We%20will%20also%20publish%20a%20Message%20Center%20post%20when%20we%20have%20made%20the%20actual%20change.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1959512095%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%20id%3D%22toc-hId-1960518422%22%3EWhat%20If%20My%20Tenant%20is%20Using%20One%20of%20These%20Protocols%3F%3C%2FH2%3E%0A%3CP%3EIf%20your%20tenant%20is%20using%20any%20of%20these%20protocols%20in%20the%2030%20days%20prior%20to%20us%20randomly%20selecting%20your%20tenant%20for%20potential%20inclusion%2C%20we%20won%E2%80%99t%20disable%20them.%20Should%20you%20find%20a%20Message%20Center%20post%20to%20the%20contrary%2C%20please%20let%20us%20know%20(details%20on%20how%20to%20let%20us%20know%20will%20be%20in%20the%20Message%20Center%20post)%20and%20we%E2%80%99ll%20exclude%20you%20from%20the%20change.%20You%E2%80%99ll%20be%20able%20to%20do%20this%20right%20up%20until%20we%20disable%20these%20protocols%20for%20good%20(at%20a%20future%20date).%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-152057632%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%20id%3D%22toc-hId-153063959%22%3EHow%20Do%20I%20Know%20if%20My%20Tenant%20is%20Currently%20Using%20One%20of%20the%20Impacted%20Protocols%3F%3C%2FH2%3E%0A%3CP%3EIf%20you%20aren%E2%80%99t%20sure%20if%20you%20are%20using%20Basic%20Auth%20with%20any%20of%20the%20impacted%20protocols%20you%20can%20use%20the%20Azure%20AD%20Sign-In%20Logs%20to%20look%20at%20usage%20in%20your%20tenant.%20Read%20more%20about%20that%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fnew-tools-to-block-legacy-authentication-in-your-organization%2Fba-p%2F1225302%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1655396831%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%20id%3D%22toc-hId--1654390504%22%3EWhat%20Happens%20If%20I%20Missed%20the%20Message%20Center%20Post%20and%20Need%20These%20Protocols%20Re-Enabled%3F%3C%2FH2%3E%0A%3CP%3EWe%20are%20building%20the%20capability%20to%20allow%20you%20to%20re-enable%20the%20protocols%20yourself%20via%20Support%20Central%20in%20the%20Microsoft%20365%20admin%20center.%20If%20you%20find%20yourself%20in%20this%20situation%2C%20you%E2%80%99ll%20be%20able%20to%20request%20help%20in%20the%20Microsoft%20365%20admin%20center%2C%20and%20we%E2%80%99ll%20allow%20you%20to%20re-enable%20these%20protocols%20until%20we%20disable%20them%20in%20the%20future.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-832116002%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%20id%3D%22toc-hId-833122329%22%3EHow%20Does%20This%20Change%20Affect%20Authentication%20Policies%3F%3C%2FH2%3E%0A%3CP%3EThe%20switch%20we%20use%20to%20disable%20Basic%20Auth%20for%20unused%20protocols%20is%20not%20available%20to%20tenant%20admins.%20You%20won%E2%80%99t%20see%20any%20changes%20or%20additions%20to%20your%20existing%20authentication%20policies%20(if%20you%20have%20any)%20and%20our%20change%20will%20take%20precedence%20over%20any%20policies%20you%20might%20have.%20We%20understand%20this%20might%20be%20a%20bit%20confusing%2C%20so%20we%20wanted%20to%20note%20it%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20hope%20this%20change%20is%20good%20news%20for%20those%20of%20you%20who%20needed%20more%20time%20to%20complete%20a%20transition%20from%20Basic%20Auth.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF6600%22%3EThe%20Exchange%20Team%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2111904%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20previously%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Eannounced%3C%2FA%3E%20we%20would%20begin%20to%20disable%20Basic%20Auth%20for%20five%20Exchange%20Online%20protocols%20in%20the%20second%20half%20of%202021.%20we%20are%20announcing%20some%20important%20changes%20to%20our%20plan%20to%20disable%20Basic%20Auth%20in%20Exchange%20Online.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2111904%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eadministration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAll%20Posts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2120297%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2120297%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F955913%22%20target%3D%22_blank%22%3E%40ERAUGRAD%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20link%20Nino%20shared%20is%20not%20totally%20the%20same%20as%20it%20predates%20the%20Powershell%20EXO%20v2%20module%20so%20there%20wasn't%20an%20option%20to%20use%20Modern%20Auth%20then%2C%20-%20so%20i%20opened%20another%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F42664198-patch-winrm-so-basic-winrm-athentication-setting-i%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F42664198-patch-winrm-so-basic-winrm-athentication-setting-i%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2119167%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2119167%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F955913%22%20target%3D%22_blank%22%3E%40ERAUGRAD%3C%2FA%3E%26nbsp%3BHere%20it%20is%3A%20%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F20570782-allow-winrm-authentication-other-than-basic-when-c%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAllow%20winrm%20authentication%20other%20than%20basic%20when%20connecting%20via%20powershell%20%E2%80%93%20Customer%20Feedback%20for%20Microsoft%20Office%20365%20(uservoice.com)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118727%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118727%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40284%22%20target%3D%22_blank%22%3E%40Sankarasubramanian%20Parameswaran%3C%2FA%3E%26nbsp%3B-%20%3CEM%3Eyou%3C%2FEM%3E%20have%20the%20ability%20to%20enforce%20Basic%20Auth%20in%20your%20tenant%20today%2C%20and%20have%20done%20for%20some%20considerable%20time.%20You%20don't%20need%20to%20wait%20for%20us%20to%20block%20Basic%20to%20stop%20it%20being%20used%20in%20your%20tenant%2C%20none%20of%20that%20work%20has%20gone%20to%20waste%2C%20far%20from%20it%2C%20your%20company%20is%20benefitting%20from%20it.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe're%20not%20turning%20off%20Basic%20for%20those%20companies%20who%20have%20chosen%20to%20still%20allow%20it.%20Yet.%20We%20will%2C%20but%20not%20just%20yet.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118626%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118626%22%20slang%3D%22en-US%22%3E%3CP%3EDon't%20forget%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Ffeatures%2Fcloud-shell%2F%23overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Cloud%20Shell%20%E2%80%93%20Browser-Based%20Command%20Line%20%7C%20Microsoft%20Azure%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118621%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118621%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%20thanks%20very%20much%20for%20the%20response.%20At%20least%20I%20know%20now!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20reason%20for%20raising%20it%20here%20is%20i%20don't%20think%20it%20is%20a%20totally%20separate%20issue.%20my%20limited%20understanding%20was%20the%20Exchange%20Powershell%20module%20v2%20WinRM%20workaround%20was%20primary%20necessary%20to%20enable%20the%20use%20of%20the%20old%20commands%20which%20still%20used%20Exchange%20PowerShell%20while%20enabling%20modern%20auth%20for%20connection%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOther%20modules%20like%20AzureAD%20and%20the%20MSgraph%20new%20EXO%20commands%20seem%20to%20deal%20just%20fine%20without%20it.%20So%20I%20would%20infer%20its%20a%20problem%20caused%20by%20Modern%20Auth%20and%20not%20having%20full%20MS%20graph%20PowerShell%20commands%20for%20Exchange%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20assume%20it%20is%20going%20to%20be%20fixed%20at%20some%20point%20by%20either%20patching%20WinRM%20or%20moving%20all%20Exchange%20commands%20to%20MSgraph%3F%20I%20assume%20either%20is%20a%20big%20headache%20and%20can't%20be%20done%20overnight.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20the%20point%20i%20was%20trying%20to%20make%20was%20that%20there%20isn't%20a%20great%20deal%20of%20visibility%20around%20what%20path%20MS%20is%20taking%20to%20solve%20the%20issue%20long%20term%20or%20what%20the%20timescales%20might%20be.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20point%20me%20to%20another%20location%20that%20deals%20with%20this%20then%20I%20will%20happily%20copy%20this%20comment%20there!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118595%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%20is%20there%20a%20UserVoice%20so%20that%20I%20can%20upvote%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F523460%22%20target%3D%22_blank%22%3E%40PeteMitch99%3C%2FA%3E%26nbsp%3B's%20comment%20on%20WINRMS.%20Huge%20pain%20for%20our%20org%20too.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118379%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118379%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F523460%22%20target%3D%22_blank%22%3E%40PeteMitch99%3C%2FA%3E%26nbsp%3BNo%2C%20this%20is%20currently%20not%20on%20the%20roadmap.%20There%20are%20discussions%20about%20it%2C%20but%20nothing%20is%20currently%20committed.%3C%2FP%3E%0A%3CP%3EIt%20is%20best%2C%20though%2C%20to%20keep%20that%20separate%20from%20the%20subject%20at%20hand%2C%20because%20that%20particular%20problem%20is%20not%20related%20to%20the%20Basic%20auth%20disablement%20(as%20you%20pointed%20out%2C%20OAUTH%20is%20used%20to%20authenticate%20to%20the%20service%20in%20that%20scenario%2C%20it%20is%20a%20local%20machine%20requirement).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118320%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118320%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B%20Thanks%20for%20the%20update.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20update%20on%20for%20patching%20WinRM%20client%20so%20that%20it%20is%20no%20longer%20necessary%20to%20enable%20WinRM%20basic%20authentication%20to%20send%20the%20Oauth%20header%20for%20the%20ExchangeOnline%20PS%20Module%20v2%20commands%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%20of%20this%20continued%20issue%2C%20we%20have%20to%20make%20company%20wide%20changes%20to%20our%20insight%20manager%20policies%20for%20WinRM%20to%20allow%20basic%20authentication%20just%20for%20a%20couple%20of%20Exchange%20admins.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20even%20on%20MS%20roadmap%3F%20Is%20MS%20working%20of%20a%20solution%20to%20this%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2117730%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2117730%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%20we%20are%20tried%20of%20Microsoft%20changing%20dates%2C%20same%20thing%20happened%20to%20us%20.%20when%20Microsoft%20changed%20the%20date%20the%20vendor%20will%20delay%20the%20process%20now%20we%20dont%20know%20.%20If%20we%20dont%20have%20date%20nothing%20will%20move.%20If%20you%20are%20working%20on%20Security%2C%20you%20have%20to%20be%20strict%20on%20time%20line.%20You%20know%20that%20user%20risk%2Csign%20in%20risk%20and%20many%20features%20will%20not%20work%20without%20enforcing.%20we%20are%20not%20happy%20with%20this%20change%20and%20all%20our%20work%20and%20preparation%20wasted.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2115277%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115277%22%20slang%3D%22en-US%22%3E%3CP%3EWhereas%20I%20normally%20harp%20on%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3Band%20have%20griped%20in%20the%20comments%20of%20many%20announcements%2C%20ironically%20I%20like%20this%20announcement%20quite%20a%20bit.%26nbsp%3B%20It's%20going%20to%20do%20a%20few%20things%20that%20many%20customers%20and%20partners%20will%20come%20to%20appreciate%3A%3C%2FP%3E%3CUL%3E%3CLI%3EThe%20automatic%20disablement%20by%20Microsoft%2C%20along%20with%20the%20Message%20Center%20notifications%2C%20is%20going%20to%20let%20customers%20most-easily%20determine%20their%20dependency%20on%20Basic%2Flegacy%20authentication.%3C%2FLI%3E%3CLI%3EIt'll%20also%20just%20'take%20care%20of%20it%20for%20you'%20for%20customers%20with%20no%20dependency%20on%20Basic%2Flegacy%2C%20but%20who%20aren't%20ready%20to%20enable%20Security%20Defaults.%3C%2FLI%3E%3CLI%3EGive%20Microsoft%20more%20time%20to%20develop%20finer-grained%20RBAC-like%20controls%20for%20Azure%20AD%2FOAuth%20applications.%26nbsp%3B%20Right%20now%2C%20particularly%20for%20unattended%20use%20cases%2C%20but%20even%20still%20for%20semi-interactive%2Fdelegated%20use%20cases%2C%20these%20applications%20are%20difficult%20to%20lock%20down%20properly.%26nbsp%3B%20There%20are%20only%20about%2012%20MS%20Graph%20API%20permissions%20which%20can%20be%20scoped%20to%20individual%20mailboxes%20(actually%20to%20a%20mail-enabled%20security%20group%2C%20via%20application%20access%20policies).%3C%2FLI%3E%3CLI%3EGive%20everyone%20who%20needs%20it%20more%20time%20to%20learn%20the%20new%20approach%20(i.e.%20OAuth%20grant%20types%2C%20which%20there%20are%20several%2C%20each%20with%20their%20own%20pro's%20and%20con's%20for%20the%20many%20scenarios%20they%20could%20cover).%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESo%2C%20glad%20to%20see%20this%20one%2C%20and%20thanks.%26nbsp%3B%20A%20current%20state%20on%20this%20grey%20area%20is%20something%20everyone%20will%20appreciate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2115208%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115208%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20when%20will%20it%20be%20possible%20to%20have%20more%20fine%20grained%20control%20to%20block%20certain%20legacy%20protocols%20using%20Azure%20Conditional%20Access%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20can%20only%20choose%20between%20EAS%20and%20others%2C%20correct%3F%26nbsp%3BIt%20would%20be%20useful%20to%20allow%20discovery%20protocol%20while%20blocking%20most%20other%20legacy%20protocols%20using%20Conditional%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114877%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114877%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20block%203rd%20party%20apps%20and%20we%20block%20basic%20auth%20in%20EXO%20by%20default%20but%20we%20have%20to%20maintain%20a%20series%20of%203rd%20party%20apps%20in%20our%20tenant%20because%20the%20business%20needs%20them.%20We%20had%20great%20success%20with%20many%20vendors%20and%20internal%20developers%20but%20sadly%20there%20are%20many%20that%20take%20a%20lot%20of%20time%20to%20move%20and%20without%20a%20sense%20of%20urgency%20they%20will%20take%20another%20year%20to%20be%20ready.%3C%2FP%3E%3CP%3EDuring%20this%20time%20we%20need%20to%20mitigate%20the%20risks%20with%20conditional%20access%20policies%2C%20keep%20pressure%20on%20those%20vendors%20and%20have%20though%20discussions%20with%20our%20business.%20Instead%20we%20could%20be%20focussing%20on%20new%20innovations%20like%20VIVA%20instead%20%E2%98%BA%EF%B8%8F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114871%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114871%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193997%22%20target%3D%22_blank%22%3E%40Tonino%20Bruno%3C%2FA%3E%26nbsp%3Bif%20you%20block%20Basic%20including%203P%20apps%20as%20you%20said%2C%20why%20are%20you%20not%20safe%3F%20Because%20some%20other%20tenant%20didn't%3F%20That's%20not%20how%20a%20multi-tenant%20service%20like%20ours%20works...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114855%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3BOutlook%20POP%2FIMAP%20modern%20authentication%20for%20Exchange%2C%20Outlook.com%2C%20and%20Gmail%20but%20not%20for%20Exchange%20Online%3F%20Thunderbird....%20I%20hope%20you%20are%20joking.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20we%20have%20a%20requirement%20for%20POP%2C%20this%20is%20really%20a%20HUGE%20disappointment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114852%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114852%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B2%20years%20in%20advance%20notice%2C%20and%20now%202%20broken%20promises%20with%20no%20hard%20date%20for%20when%20you're%20going%20to%20disable%20basic%20authentication.%20No%20Microsoft%20is%20not%20being%20a%20leader%2C%20it's%20being%20simply%20being%20a%20follower.%20Commit%20to%20a%20change%20and%20do%20it%2C%20stop%20going%20halfway.%20Just%20to%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114843%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114843%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Greg%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20my%20opinion%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EIts%20because%20of%20these%20announcements%20that%20vendors%20are%20continuing%20to%20delay%20their%20updates%20to%20Modern%20Auth%20and%20cause%20us%20to%20maintain%20exceptions%20and%20be%20at%20risk.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWhile%20with%20the%20right%20push%20those%20vendors%20would%20be%20doing%20the%20right%20thing%20and%20move.%20We%20have%20the%20capabilities%20to%20block%20it%20and%20we%20do%20so%20but%20we%20are%20not%20safe%20with%20those%20few%20exceptions%20still%20lingering%20around%20...%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114836%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114836%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20we%20proved%20we're%20being%20industry%20leaders%20and%20bold%20by%20taking%20this%20stand%20to%20begin%20with.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20read%20this%20article%20and%20got%20the%20sense%20this%20showed%20a%20lack%20of%20commitment%20maybe%20I%20need%20to%20go%20back%20and%20add%20some%20more%20!'s.%20We're%20serious.%20We're%20adding%20more%20protocols%20that%20we%20previously%20had%2C%20and%20we're%20going%20to%20start%20turning%20off%20things%20customers%20don't%20know%20they%20left%20enabled.%20Then%20when%20we%20think%20enough%20customers%20are%20ready%2C%20we're%20counting%20down.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20committed%3F%20I%20promise%20you%20we%20are%2C%20and%20if%20any%20vendor%20points%20a%20customer%20at%20this%20blog%20saying%20we're%20not%2C%20to%20the%20customer%20-%20drop%20me%20a%20line.%20grtaylor%20at%20the%20place%20I%20work.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114828%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114828%22%20slang%3D%22en-US%22%3E%3CP%3EUnderstood%2C%20Greg%2C%20but%20it%20takes%20bold%20moves%20by%20industry%20leaders%20like%20Microsoft%20to%20persuade%20vendors%20to%20move%20away%20from%20dangerous%20auth%20mechanisms.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESure%2C%20you%20can%20disable%20Basic%20auth%20in%20Exchange%20Online%20with%20an%20authentication%20policy%2C%20but%20if%20a%20vendor%20only%20supports%20Basic%20auth%2C%20they'll%20tell%20you%20to%20turn%20it%20back%20on.%20They'll%20likely%20point%20back%20to%20this%20article%20saying%20that%20even%20Microsoft%20is%20not%20committed%20to%20removing%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114823%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114823%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20not%20stopping%20anyone%20from%20blocking%20Basic%20Auth%20to%20their%20tenant%20today.%20They%20can%2C%20and%20they%20should.%20Tenant%20admins%20can%20enable%20security%20defaults%20and%20it's%20done.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe're%20not%20backtracking%2C%20if%20anything%2C%20by%20increasing%20the%20number%20of%20protocols%20we're%20covering%20we're%20actually%20doing%20more%20in%20the%20long%20term.%20Timing%20is%20the%20biggest%20challenge%2C%20nothing%20more.%20We're%20lucky%20enough%20to%20have%20a%20lot%20of%20customers%2C%20and%20it's%20going%20to%20take%20them%20a%20while.%20We%20have%20to%20balance%20the%20security%20of%20the%20data%20and%20our%20customers%20ability%20to%20access%20it.%20It's%20their%20data%20after%20all.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F955896%22%20target%3D%22_blank%22%3E%40ExchangeOnline%3C%2FA%3E%26nbsp%3B-%20Outlook%20will%20not%20add%20support%20for%20Modern%20Auth%20for%20POP%20and%20IMAP.%20If%20you%20are%20using%20Outlook%2C%20use%20MAPI%2FHTTP.%20If%20you%20can't%2C%20use%20OWA.%20Or%20use%20a%20third%20party%20client.%20Thunderbird%20supports%20OAuth%20for%20POP%20and%20IMAP.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114808%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114808%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20the%20others%20have%20said.%20We%20have%20worked%20for%20nearly%20two%20years%20to%20push%20our%20app%20developers%20both%20internal%20and%20external%20to%20modern%20auth.%20We've%20put%20in%20a%20tremendous%20amount%20of%20work%20and%20now%20Microsoft%20is%20backtracking%20on%20this.%20Yes%2C%20we%20can%20remove%20Legacy%20Auth%20for%20our%20own%20tenant%2C%20but%20we%20may%20now%20run%20into%20third%20party%20developers%20that%20won't%20make%20the%20leap.%20We've%20already%20encountered%20a%20few%20in%20our%20last%20group%20of%20accounts%20to%20convert.%3CBR%20%2F%3EMicrosoft%20not%20disabling%20it%20implies%20consent%20to%20use%20and%20will%20result%20in%20third%20party%20developers%20avoiding%20the%20update.%20This%20is%20very%20disappointing%20news.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114778%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114778%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20update!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20will%20Outlook%20support%20modern%20authentication%20for%20POP%2FIMAP%20for%20Exchange%20Online%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20information%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fadministration%2Fcannot-connect-mailbox-pop-imap-outlook%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECan't%20connect%20to%20Outlook%20with%20POP%2FIMAP%20and%20Modern%20authentication%20-%20Exchange%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114299%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114299%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20more%20then%202%20years%20we%20are%20pushing%20vendors%20and%20our%20developers%20to%20move%20to%20more%20secure%20and%20modern%20authentication%20flows.%20We%20push%20by%20saying%20it's%20the%20whole%20industry%20is%20disabling%20it%20as%20it%20has%20a%20significant%20security%20risk.%20And%20now%20they%20will%20just%20see%20another%20excuse%20to%20postpone%20and%20this%20time%20it's%20%22until%20further%20notice%22%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20definitely%20not%20helping%20to%20ease%20the%20transition%20in%20my%20opinion.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114255%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114255%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20disappointed%20that%20Microsoft%20is%20not%20taking%20a%20stronger%20stance%20against%20basic%20authentication%20and%20disabling%20it%20(excluding%20SMTP)%20outright.%20Microsoft%20should%20have%20given%20a%20firm%20disabling%20date%20and%20disabled%20it%20then.%20Covid%2019%20is%20not%20a%20valid%20reason%20to%20back%20down%20from%20doing%20the%20right%20thing.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2136728%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2136728%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20is%20terrible%20news.%20As%20long%20as%20you%20let%20it%20be%20used%2C%20it%20will%20be%20used.%20Because%20other%20vendors%20will%20say%20%22microsoft%20supports%20this%2C%20so%20it%20cannot%20be%20a%20bad%20practice%22.%20Very%20disappointing.%20By%20introducing%20basic%20auth%20to%20the%20internet%20you%20did%20a%20bad%20thing%20security%20wise%2C%20now%20you%20are%20doing%20even%20worse%20by%20not%20terminating%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149770%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149770%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20some%20of%20the%20comments%20here%20saying%20this%20is%20bad%2C%20while%20it's%20understandable%20the%20desire%20to%20disable%20basic%20auth%20outright%2C%20there%20are%20issues%20for%20many%20developers%20moving%20away%20from%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20particular%20EWS%20applications%20cannot%20always%20move%20to%20using%20OAuth%20because%20this%20requires%26nbsp%3B%3CSTRONG%3Efull_access_as_app%26nbsp%3B%3C%2FSTRONG%3Epermission%20for%20an%20application%20in%20Azure%20AD%20and%20many%20IT%20policies%20will%20block%20this%20as%20it's%20granting%20an%20application%20%3CU%3Efull%20access%3C%2FU%3E%20to%20%3CSTRONG%3EALL%3C%2FSTRONG%3E%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20Graph%20API%20is%20preferred%20and%20provides%20granular%20mailbox%20permissions%2C%20this%20is%20a%20lot%20of%20time%20and%20investment%20to%20migrate%20to%20Graph%20API%2C%20and%20it%20has%20a%20number%20of%20issues.%20It%20also%20isn't%20support%20on-prem%2C%20so%20developers%20have%20to%20maintain%20both%20an%20EWS%20and%20Graph%20API%20implementation%20to%20support%20both%20on-prem%20and%20online%20installations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoftgraph%2Fmicrosoft-graph-docs%2Fissues%2F5659%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECannot%20segregate%20access%20by%20user%20mailboxes%20using%20EWS%20%C2%B7%20Issue%20%235659%20%C2%B7%20microsoftgraph%2Fmicrosoft-graph-docs%20(github.com)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149871%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149871%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20TJ%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20the%20same%20issue%2C%20but%20recently%20Microsoft%20enabled%20Scoping%20for%20EWS.%20See%26nbsp%3B%3CSPAN%3EMC237454%20for%20more%20info.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149873%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149873%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F328935%22%20target%3D%22_blank%22%3E%40tjmoore%3C%2FA%3E%26nbsp%3BFYI%2C%20on%20February%205th%2C%20they%20announced%20support%20for%20EWS%20with%20the%20EXO%20Application%20Access%20Policies.%26nbsp%3B%20This%20means%20your%20concern%20is%20now%20addressed%20and%20you%20can%20now%20narrow%20that%20permission%20down%20to%20mailboxes%20in%20a%20specific%20security%20group.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Foffice%2Fblogs%2Fapplication-access-policy-support-added-to-exchange-web-services%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Foffice%2Fblogs%2Fapplication-access-policy-support-added-to-exchange-web-services%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149879%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149879%22%20slang%3D%22en-US%22%3E%3CP%3EProbably%20good%20to%20note%20that%20there%20is%20a%20limit%20of%20100%20Application%20Access%20policies.%20Really%20hoping%20Microsoft%20will%20increase%20that.%20We%20have%20thousands%20of%20internal%20apps%20and%20given%20the%20nature%20of%20Application%20permissions%2C%20I%20see%20it%20becoming%20a%20problem%20very%20quickly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149902%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149902%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3B-%20That's%20great%20news!%20It%20sounds%20like%20that%20would%20solve%20the%20immediate%20issue%20and%20customers%20can%20be%20assured%20they%20can%20roll%20out%20with%20OAuth%20without%20opening%20up%20wide%20access.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2164094%22%20slang%3D%22en-US%22%3EBetreff%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2164094%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20a%20fan%20of%20disabling%20basic%20SMTP%20AUTH%20via%20a%20kill%20switch.%20so%20many%20printers%20will%20be%20rendered%20completly%20useless.%20At%20least%20allow%20usage%20of%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%3CSPAN%3E%3CSPAN%20class%3D%22hljs-pscommand%22%3ESet-CASMailbox%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-Identity%3C%2FSPAN%3E%20sean%40contoso.com%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-SmtpClientAuthenticationDisabled%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-literal%22%3E%24fals%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%20class%3D%22hljs-literal%22%3Ee%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3Eelse%20legacy%20devices%20won't%20be%20able%20to%20send%20emails.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2164117%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2164117%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F875520%22%20target%3D%22_blank%22%3E%40schmitch%3C%2FA%3E%26nbsp%3B%2Care%20you%20able%20to%20get%20away%20with%20Set-CasMailbox%20to%20set%20client%20SMTP%20submission%20disabled%20to%20true%2C%20on%20all%20the%20mailboxes%20except%20those%20where%20they%20need%20it%2C%20and%20then%20use%20Set-CasMailboxPlan%20to%20make%20it%20disabled%20%3D%20true%20for%20all%20new%20%2Fnewly%20migrated%20mailboxes%3F%3C%2FP%3E%3CP%3EI%20think%20that%20should%20let%20you%20NOT%20disable%20it%20at%20the%20tenant%20level%20while%20still%20having%20it%20disabled%20for%20mostly%20all%20mailboxes%2C%20including%20new%20ones%20going%20forward%2C%20but%20still%20enabled%20for%20the%20ones%20that%20truly%20need%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E

We previously announced we would begin to disable Basic Auth for five Exchange Online protocols in the second half of 2021. Due to the pandemic and the effect it has on priorities and work patterns, we are announcing some important changes to our plan to disable Basic Auth in Exchange Online. Please read this post carefully, as there’s a lot of detail.

The first change is that until further notice, we will not be disabling Basic Auth for any protocols that your tenant is using. When we resume this program, we will provide a minimum of twelve months notice before we block the use of Basic Auth on any protocol being used in your tenant.

We will continue with our plan to disable Basic Auth for protocols that your tenant is not using. Many customers don’t know that unneeded legacy protocols remain enabled in their tenant (Security Defaults takes care of this for newly created tenants now). We plan to disable Basic Auth for these unused protocols to prevent potential mis-use. We will do this based on examining recorded usage of these protocols by your tenant, and we will send Message Center posts providing 30 days notice of the change to your tenant. This work will begin in a few months.

The next change to the previously announced plan is that we are adding MAPI, RPC, and Offline Address Book (OAB) to the protocols included in this effort to further enhance data protection.

As clarified in previous blogs, Outlook depends upon Exchange Web Services (EWS) for core features; therefore, tenants using Basic Auth with Outlook must enable Modern Auth before Basic Auth for EWS is disabled. Outlook uses only one type of authentication for all connections to a mailbox, so including these protocols should not adversely affect you. If EWS has Basic Auth disabled, Outlook won’t use Basic Auth for any of the other protocols or endpoints it needs to access.

At this time, we are not including AutoDiscover, another protocol and endpoint used by Outlook. There are two reasons for this. First, AutoDiscover doesn’t provide access to user data; it only provides a pointer to the endpoint that the client should use to access data. Second, as long as a tenant has some EWS or Exchange ActiveSync (EAS) usage, AutoDiscover is necessary for client configuration. Once Basic Auth is disabled for the vast majority of tenants, we’ll consider disabling Basic Auth for AutoDiscover.

Finally, we are aligning our plans with those for SMTP AUTH. We had previously announced that we would begin to disable SMTP AUTH for newly created tenants (and have already done so), and that we would expand this to disable SMTP AUTH for tenants who do not use it. We are continuing to do that, but we will include SMTP AUTH in all future communications and Message Center posts to make it easier for you to track the overall plan.

In summary, we have postponed disabling Basic Auth for protocols in active use by your tenant until further notice, but we will continue to disable Basic Auth for any protocols you are not currently using. The overall scope of this change now covers EWS, EAS, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH and OAB.

How Will I Know When My Tenant Is Affected?

We will publish a major change Message Center post to your tenant 30 days prior to disabling Basic Auth for any protocols in your tenant. Major changes also trigger email notifications. We will also publish a Message Center post when we have made the actual change.

What If My Tenant is Using One of These Protocols?

If your tenant is using any of these protocols in the 30 days prior to us randomly selecting your tenant for potential inclusion, we won’t disable them. Should you find a Message Center post to the contrary, please let us know (details on how to let us know will be in the Message Center post) and we’ll exclude you from the change. You’ll be able to do this right up until we disable these protocols for good (at a future date).

How Do I Know if My Tenant is Currently Using One of the Impacted Protocols?

If you aren’t sure if you are using Basic Auth with any of the impacted protocols you can use the Azure AD Sign-In Logs to look at usage in your tenant. Read more about that here.

What Happens If I Missed the Message Center Post and Need These Protocols Re-Enabled?

We are building the capability to allow you to re-enable the protocols yourself via Support Central in the Microsoft 365 admin center. If you find yourself in this situation, you’ll be able to request help in the Microsoft 365 admin center, and we’ll allow you to re-enable these protocols until we disable them in the future.

How Does This Change Affect Authentication Policies?

The switch we use to disable Basic Auth for unused protocols is not available to tenant admins. You won’t see any changes or additions to your existing authentication policies (if you have any) and our change will take precedence over any policies you might have. We understand this might be a bit confusing, so we wanted to note it here.

 

We hope this change is good news for those of you who needed more time to complete a transition from Basic Auth.

 

The Exchange Team

38 Comments
Senior Member

I am disappointed that Microsoft is not taking a stronger stance against basic authentication and disabling it (excluding SMTP) outright. Microsoft should have given a firm disabling date and disabled it then. Covid 19 is not a valid reason to back down from doing the right thing. 

Senior Member

For more then 2 years we are pushing vendors and our developers to move to more secure and modern authentication flows. We push by saying it's the whole industry is disabling it as it has a significant security risk. And now they will just see another excuse to postpone and this time it's "until further notice" :(

 

This is definitely not helping to ease the transition in my opinion.

Occasional Visitor

@The_Exchange_Team thanks for the update!

 

When will Outlook support modern authentication for POP/IMAP for Exchange Online?

 

More information: Can't connect to Outlook with POP/IMAP and Modern authentication - Exchange | Microsoft Docs

Visitor

As the others have said. We have worked for nearly two years to push our app developers both internal and external to modern auth. We've put in a tremendous amount of work and now Microsoft is backtracking on this. Yes, we can remove Legacy Auth for our own tenant, but we may now run into third party developers that won't make the leap. We've already encountered a few in our last group of accounts to convert.
Microsoft not disabling it implies consent to use and will result in third party developers avoiding the update. This is very disappointing news. 

We're not stopping anyone from blocking Basic Auth to their tenant today. They can, and they should. Tenant admins can enable security defaults and it's done. 

 

We're not backtracking, if anything, by increasing the number of protocols we're covering we're actually doing more in the long term. Timing is the biggest challenge, nothing more. We're lucky enough to have a lot of customers, and it's going to take them a while. We have to balance the security of the data and our customers ability to access it. It's their data after all. 

 

@ExchangeOnline - Outlook will not add support for Modern Auth for POP and IMAP. If you are using Outlook, use MAPI/HTTP. If you can't, use OWA. Or use a third party client. Thunderbird supports OAuth for POP and IMAP.  

Understood, Greg, but it takes bold moves by industry leaders like Microsoft to persuade vendors to move away from dangerous auth mechanisms.

 

Sure, you can disable Basic auth in Exchange Online with an authentication policy, but if a vendor only supports Basic auth, they'll tell you to turn it back on. They'll likely point back to this article saying that even Microsoft is not committed to removing it.

I think we proved we're being industry leaders and bold by taking this stand to begin with. 

 

If you read this article and got the sense this showed a lack of commitment maybe I need to go back and add some more !'s. We're serious. We're adding more protocols that we previously had, and we're going to start turning off things customers don't know they left enabled. Then when we think enough customers are ready, we're counting down. 

 

Not committed? I promise you we are, and if any vendor points a customer at this blog saying we're not, to the customer - drop me a line. grtaylor at the place I work. 

Senior Member

Hi Greg,

 

In my opinion Its because of these announcements that vendors are continuing to delay their updates to Modern Auth and cause us to maintain exceptions and be at risk.

While with the right push those vendors would be doing the right thing and move. We have the capabilities to block it and we do so but we are not safe with those few exceptions still lingering around ...

 

 

Senior Member

@Greg Taylor - EXCHANGE 2 years in advance notice, and now 2 broken promises with no hard date for when you're going to disable basic authentication. No Microsoft is not being a leader, it's being simply being a follower. Commit to a change and do it, stop going halfway. Just to it.

Occasional Visitor

@Greg Taylor - EXCHANGE Outlook POP/IMAP modern authentication for Exchange, Outlook.com, and Gmail but not for Exchange Online? Thunderbird.... I hope you are joking.

 

As we have a requirement for POP, this is really a HUGE disappointment.

 

@Tonino Bruno if you block Basic including 3P apps as you said, why are you not safe? Because some other tenant didn't? That's not how a multi-tenant service like ours works... 

Senior Member

We block 3rd party apps and we block basic auth in EXO by default but we have to maintain a series of 3rd party apps in our tenant because the business needs them. We had great success with many vendors and internal developers but sadly there are many that take a lot of time to move and without a sense of urgency they will take another year to be ready.

During this time we need to mitigate the risks with conditional access policies, keep pressure on those vendors and have though discussions with our business. Instead we could be focussing on new innovations like VIVA instead ☺️

Super Contributor

 

By when will it be possible to have more fine grained control to block certain legacy protocols using Azure Conditional Access?

 

We can only choose between EAS and others, correct? It would be useful to allow discovery protocol while blocking most other legacy protocols using Conditional access.

 

Thanks!

Frequent Contributor

Whereas I normally harp on the @The_Exchange_Team and have griped in the comments of many announcements, ironically I like this announcement quite a bit.  It's going to do a few things that many customers and partners will come to appreciate:

  • The automatic disablement by Microsoft, along with the Message Center notifications, is going to let customers most-easily determine their dependency on Basic/legacy authentication.
  • It'll also just 'take care of it for you' for customers with no dependency on Basic/legacy, but who aren't ready to enable Security Defaults.
  • Give Microsoft more time to develop finer-grained RBAC-like controls for Azure AD/OAuth applications.  Right now, particularly for unattended use cases, but even still for semi-interactive/delegated use cases, these applications are difficult to lock down properly.  There are only about 12 MS Graph API permissions which can be scoped to individual mailboxes (actually to a mail-enabled security group, via application access policies).
  • Give everyone who needs it more time to learn the new approach (i.e. OAuth grant types, which there are several, each with their own pro's and con's for the many scenarios they could cover).

So, glad to see this one, and thanks.  A current state on this grey area is something everyone will appreciate.

Frequent Contributor

@The_Exchange_Team  we are tried of Microsoft changing dates, same thing happened to us . when Microsoft changed the date the vendor will delay the process now we dont know . If we dont have date nothing will move. If you are working on Security, you have to be strict on time line. You know that user risk,sign in risk and many features will not work without enforcing. we are not happy with this change and all our work and preparation wasted. 

Regular Visitor

@Greg Taylor - EXCHANGE  Thanks for the update.

 

Is there any update on for patching WinRM client so that it is no longer necessary to enable WinRM basic authentication to send the Oauth header for the ExchangeOnline PS Module v2 commands?

 

Because of this continued issue, we have to make company wide changes to our insight manager policies for WinRM to allow basic authentication just for a couple of Exchange admins.

 

Is this even on MS roadmap? Is MS working of a solution to this issue?

Microsoft

@PeteMitch99 No, this is currently not on the roadmap. There are discussions about it, but nothing is currently committed.

It is best, though, to keep that separate from the subject at hand, because that particular problem is not related to the Basic auth disablement (as you pointed out, OAUTH is used to authenticate to the service in that scenario, it is a local machine requirement).

Visitor

@Nino Bilic  is there a UserVoice so that I can upvote @PeteMitch99 's comment on WINRMS. Huge pain for our org too. 

Regular Visitor

@Nino Bilic thanks very much for the response. At least I know now!

 

The reason for raising it here is i don't think it is a totally separate issue. my limited understanding was the Exchange Powershell module v2 WinRM workaround was primary necessary to enable the use of the old commands which still used Exchange PowerShell while enabling modern auth for connection?

 

Other modules like AzureAD and the MSgraph new EXO commands seem to deal just fine without it. So I would infer its a problem caused by Modern Auth and not having full MS graph PowerShell commands for Exchange?

 

I assume it is going to be fixed at some point by either patching WinRM or moving all Exchange commands to MSgraph? I assume either is a big headache and can't be done overnight.

 

However, the point i was trying to make was that there isn't a great deal of visibility around what path MS is taking to solve the issue long term or what the timescales might be.

 

If you point me to another location that deals with this then I will happily copy this comment there!

@Sankarasubramanian Parameswaran - you have the ability to enforce Basic Auth in your tenant today, and have done for some considerable time. You don't need to wait for us to block Basic to stop it being used in your tenant, none of that work has gone to waste, far from it, your company is benefitting from it. 

 

We're not turning off Basic for those companies who have chosen to still allow it. Yet. We will, but not just yet. 

Microsoft
Regular Visitor

@ERAUGRAD 

 

The link Nino shared is not totally the same as it predates the Powershell EXO v2 module so there wasn't an option to use Modern Auth then, - so i opened another below.

 

https://office365.uservoice.com/forums/264636-general/suggestions/42664198-patch-winrm-so-basic-winr...

Contributor

That is terrible news. As long as you let it be used, it will be used. Because other vendors will say "microsoft supports this, so it cannot be a bad practice". Very disappointing. By introducing basic auth to the internet you did a bad thing security wise, now you are doing even worse by not terminating it.

New Contributor

On some of the comments here saying this is bad, while it's understandable the desire to disable basic auth outright, there are issues for many developers moving away from it.

 

In particular EWS applications cannot always move to using OAuth because this requires full_access_as_app permission for an application in Azure AD and many IT policies will block this as it's granting an application full access to ALL mailboxes.

 

While Graph API is preferred and provides granular mailbox permissions, this is a lot of time and investment to migrate to Graph API, and it has a number of issues. It also isn't support on-prem, so developers have to maintain both an EWS and Graph API implementation to support both on-prem and online installations.

 

See Cannot segregate access by user mailboxes using EWS · Issue #5659 · microsoftgraph/microsoft-graph-d...

Visitor

Hi TJ,

 

We had the same issue, but recently Microsoft enabled Scoping for EWS. See MC237454 for more info.

 

 

 

Frequent Contributor

@tjmoore FYI, on February 5th, they announced support for EWS with the EXO Application Access Policies.  This means your concern is now addressed and you can now narrow that permission down to mailboxes in a specific security group.

https://developer.microsoft.com/en-us/office/blogs/application-access-policy-support-added-to-exchan...

Visitor

Probably good to note that there is a limit of 100 Application Access policies. Really hoping Microsoft will increase that. We have thousands of internal apps and given the nature of Application permissions, I see it becoming a problem very quickly.

New Contributor

@Jeremy Bradshaw - That's great news! It sounds like that would solve the immediate issue and customers can be assured they can roll out with OAuth without opening up wide access.

Occasional Visitor

I'm not a fan of disabling basic SMTP AUTH via a kill switch. so many printers will be rendered completly useless. At least allow usage of:

 

Set-CASMailbox -Identity sean@contoso.com -SmtpClientAuthenticationDisabled $false

else legacy devices won't be able to send emails.

Frequent Contributor

@schmitch ,are you able to get away with Set-CasMailbox to set client SMTP submission disabled to true, on all the mailboxes except those where they need it, and then use Set-CasMailboxPlan to make it disabled = true for all new /newly migrated mailboxes?

I think that should let you NOT disable it at the tenant level while still having it disabled for mostly all mailboxes, including new ones going forward, but still enabled for the ones that truly need it.

Occasional Visitor

@Jeremy Bradshawt hat is what we do/plan unfortunatly new tenants might need to ask support, to enable that option. we have customers with tons of xerox printers, which will probably never support xoauth2. we are also a company that develops software and we are planning to roll out msgraph and xoauth2 later this year in our software, so that they delay it a little bit, helps us testing it more, but it is a pain in the **bleep** for web applications that also runs on premise, because you either need to tell your customers to create an application by themself or you need to have some kind of proxy to have a static redirect uri.

We only plan to disable SMTP AUTH for customers not using it, and admins will be able to re-enable SMTP AUTH even after we have fully turned off all the others. We know there are many devices out there that cannot be updated. If we (or better yet, you, the admin) turn off SMTP AUTH at the tenant level, you can then re-enable at the user level for the long tail of devices that can only use Basic. 

Senior Member

 

@Jeremy Bradshaw  Are you able to disable SMTP Auth with Set-CASMailboxPlan? I just checked and this is not an option we have available in our tenant? PopEnabled & ImapEnabled exist but not the SMTP protocol, which would have been a nice addition indeed.

 

 

Frequent Contributor

@Tonino Bruno I just checked and confirmed, nope I cannot.  I was hoping, but not in a place to double check when I responded to @schmitch .  But as @Greg Taylor - EXCHANGE stated, you can go about it from the opposite angle - disable at the tenant level, then only enable for the necessary accounts.  So essentially the same result, but not using my hopeful suggestion:).

Visitor

well, today unfortunately without any notice SMTP Auth was suddenly disabled on tenant level. despite using SMTP AUTH withing my tenant. 

We didn't receive a major change Message Center 30 days prior. MC237741 was released on 4th of Feb and today is 25th

It's available on Set-CASMailbox (-SmtpClientAuthenticationDisabled). Does it not work as part of Set-CASMailboxPlan then? 

 

@Ala_Aljundi - I very much doubt we did that. If you can DM me your tenant name I'll check into it. 

Not part of CASMailboxPlan, but probably should be.