Basic Authentication and Exchange Online – February 2021 Update

Published Feb 04 2021 09:00 AM 150K Views

Update: For latest information related to basic authentication in Exchange Online, please see Basic Authentication and Exchange Online – September 2021 Update.

We previously announced we would begin to disable Basic Auth for five Exchange Online protocols in the second half of 2021. Due to the pandemic and the effect it has on priorities and work patterns, we are announcing some important changes to our plan to disable Basic Auth in Exchange Online. Please read this post carefully, as there’s a lot of detail.

The first change is that until further notice, we will not be disabling Basic Auth for any protocols that your tenant is using. When we resume this program, we will provide a minimum of twelve months notice before we block the use of Basic Auth on any protocol being used in your tenant.

We will continue with our plan to disable Basic Auth for protocols that your tenant is not using. Many customers don’t know that unneeded legacy protocols remain enabled in their tenant (Security Defaults takes care of this for newly created tenants now). We plan to disable Basic Auth for these unused protocols to prevent potential mis-use. We will do this based on examining recorded usage of these protocols by your tenant, and we will send Message Center posts providing 30 days notice of the change to your tenant. This work will begin in a few months.

The next change to the previously announced plan is that we are adding MAPI, RPC, and Offline Address Book (OAB) to the protocols included in this effort to further enhance data protection.

As clarified in previous blogs, Outlook depends upon Exchange Web Services (EWS) for core features; therefore, tenants using Basic Auth with Outlook must enable Modern Auth before Basic Auth for EWS is disabled. Outlook uses only one type of authentication for all connections to a mailbox, so including these protocols should not adversely affect you. If EWS has Basic Auth disabled, Outlook won’t use Basic Auth for any of the other protocols or endpoints it needs to access.

At this time, we are not including AutoDiscover, another protocol and endpoint used by Outlook. There are two reasons for this. First, AutoDiscover doesn’t provide access to user data; it only provides a pointer to the endpoint that the client should use to access data. Second, as long as a tenant has some EWS or Exchange ActiveSync (EAS) usage, AutoDiscover is necessary for client configuration. Once Basic Auth is disabled for the vast majority of tenants, we’ll consider disabling Basic Auth for AutoDiscover.

Finally, we are aligning our plans with those for SMTP AUTH. We had previously announced that we would begin to disable SMTP AUTH for newly created tenants (and have already done so), and that we would expand this to disable SMTP AUTH for tenants who do not use it. We are continuing to do that, but we will include SMTP AUTH in all future communications and Message Center posts to make it easier for you to track the overall plan.

In summary, we have postponed disabling Basic Auth for protocols in active use by your tenant until further notice, but we will continue to disable Basic Auth for any protocols you are not currently using. The overall scope of this change now covers EWS, EAS, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH and OAB.

How Will I Know When My Tenant Is Affected?

We will publish a major change Message Center post to your tenant 30 days prior to disabling Basic Auth for any protocols in your tenant. Major changes also trigger email notifications. We will also publish a Message Center post when we have made the actual change.

What If My Tenant is Using One of These Protocols?

If your tenant is using any of these protocols in the 30 days prior to us randomly selecting your tenant for potential inclusion, we won’t disable them. Should you find a Message Center post to the contrary, please let us know (details on how to let us know will be in the Message Center post) and we’ll exclude you from the change. You’ll be able to do this right up until we disable these protocols for good (at a future date).

How Do I Know if My Tenant is Currently Using One of the Impacted Protocols?

If you aren’t sure if you are using Basic Auth with any of the impacted protocols you can use the Azure AD Sign-In Logs to look at usage in your tenant. Read more about that here.

What Happens If I Missed the Message Center Post and Need These Protocols Re-Enabled?

We are building the capability to allow you to re-enable the protocols yourself via Support Central in the Microsoft 365 admin center. If you find yourself in this situation, you’ll be able to request help in the Microsoft 365 admin center, and we’ll allow you to re-enable these protocols until we disable them in the future.

How Does This Change Affect Authentication Policies?

The switch we use to disable Basic Auth for unused protocols is not available to tenant admins. You won’t see any changes or additions to your existing authentication policies (if you have any) and our change will take precedence over any policies you might have. We understand this might be a bit confusing, so we wanted to note it here.

 

We hope this change is good news for those of you who needed more time to complete a transition from Basic Auth.

 

The Exchange Team

57 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2120297%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2120297%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F955913%22%20target%3D%22_blank%22%3E%40ERAUGRAD%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20link%20Nino%20shared%20is%20not%20totally%20the%20same%20as%20it%20predates%20the%20Powershell%20EXO%20v2%20module%20so%20there%20wasn't%20an%20option%20to%20use%20Modern%20Auth%20then%2C%20-%20so%20i%20opened%20another%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F42664198-patch-winrm-so-basic-winrm-athentication-setting-i%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F42664198-patch-winrm-so-basic-winrm-athentication-setting-i%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2119167%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2119167%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F955913%22%20target%3D%22_blank%22%3E%40ERAUGRAD%3C%2FA%3E%26nbsp%3BHere%20it%20is%3A%20%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F20570782-allow-winrm-authentication-other-than-basic-when-c%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAllow%20winrm%20authentication%20other%20than%20basic%20when%20connecting%20via%20powershell%20%E2%80%93%20Customer%20Feedback%20for%20Microsoft%20Office%20365%20(uservoice.com)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118727%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118727%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40284%22%20target%3D%22_blank%22%3E%40Sankarasubramanian%20Parameswaran%3C%2FA%3E%26nbsp%3B-%20%3CEM%3Eyou%3C%2FEM%3E%20have%20the%20ability%20to%20enforce%20Basic%20Auth%20in%20your%20tenant%20today%2C%20and%20have%20done%20for%20some%20considerable%20time.%20You%20don't%20need%20to%20wait%20for%20us%20to%20block%20Basic%20to%20stop%20it%20being%20used%20in%20your%20tenant%2C%20none%20of%20that%20work%20has%20gone%20to%20waste%2C%20far%20from%20it%2C%20your%20company%20is%20benefitting%20from%20it.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe're%20not%20turning%20off%20Basic%20for%20those%20companies%20who%20have%20chosen%20to%20still%20allow%20it.%20Yet.%20We%20will%2C%20but%20not%20just%20yet.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118626%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118626%22%20slang%3D%22en-US%22%3E%3CP%3EDon't%20forget%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Ffeatures%2Fcloud-shell%2F%23overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Cloud%20Shell%20%E2%80%93%20Browser-Based%20Command%20Line%20%7C%20Microsoft%20Azure%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118621%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118621%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%20thanks%20very%20much%20for%20the%20response.%20At%20least%20I%20know%20now!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20reason%20for%20raising%20it%20here%20is%20i%20don't%20think%20it%20is%20a%20totally%20separate%20issue.%20my%20limited%20understanding%20was%20the%20Exchange%20Powershell%20module%20v2%20WinRM%20workaround%20was%20primary%20necessary%20to%20enable%20the%20use%20of%20the%20old%20commands%20which%20still%20used%20Exchange%20PowerShell%20while%20enabling%20modern%20auth%20for%20connection%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOther%20modules%20like%20AzureAD%20and%20the%20MSgraph%20new%20EXO%20commands%20seem%20to%20deal%20just%20fine%20without%20it.%20So%20I%20would%20infer%20its%20a%20problem%20caused%20by%20Modern%20Auth%20and%20not%20having%20full%20MS%20graph%20PowerShell%20commands%20for%20Exchange%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20assume%20it%20is%20going%20to%20be%20fixed%20at%20some%20point%20by%20either%20patching%20WinRM%20or%20moving%20all%20Exchange%20commands%20to%20MSgraph%3F%20I%20assume%20either%20is%20a%20big%20headache%20and%20can't%20be%20done%20overnight.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20the%20point%20i%20was%20trying%20to%20make%20was%20that%20there%20isn't%20a%20great%20deal%20of%20visibility%20around%20what%20path%20MS%20is%20taking%20to%20solve%20the%20issue%20long%20term%20or%20what%20the%20timescales%20might%20be.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20point%20me%20to%20another%20location%20that%20deals%20with%20this%20then%20I%20will%20happily%20copy%20this%20comment%20there!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118595%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%20is%20there%20a%20UserVoice%20so%20that%20I%20can%20upvote%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F523460%22%20target%3D%22_blank%22%3E%40PeteMitch99%3C%2FA%3E%26nbsp%3B's%20comment%20on%20WINRMS.%20Huge%20pain%20for%20our%20org%20too.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118379%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118379%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F523460%22%20target%3D%22_blank%22%3E%40PeteMitch99%3C%2FA%3E%26nbsp%3BNo%2C%20this%20is%20currently%20not%20on%20the%20roadmap.%20There%20are%20discussions%20about%20it%2C%20but%20nothing%20is%20currently%20committed.%3C%2FP%3E%0A%3CP%3EIt%20is%20best%2C%20though%2C%20to%20keep%20that%20separate%20from%20the%20subject%20at%20hand%2C%20because%20that%20particular%20problem%20is%20not%20related%20to%20the%20Basic%20auth%20disablement%20(as%20you%20pointed%20out%2C%20OAUTH%20is%20used%20to%20authenticate%20to%20the%20service%20in%20that%20scenario%2C%20it%20is%20a%20local%20machine%20requirement).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2118320%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118320%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B%20Thanks%20for%20the%20update.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20update%20on%20for%20patching%20WinRM%20client%20so%20that%20it%20is%20no%20longer%20necessary%20to%20enable%20WinRM%20basic%20authentication%20to%20send%20the%20Oauth%20header%20for%20the%20ExchangeOnline%20PS%20Module%20v2%20commands%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%20of%20this%20continued%20issue%2C%20we%20have%20to%20make%20company%20wide%20changes%20to%20our%20insight%20manager%20policies%20for%20WinRM%20to%20allow%20basic%20authentication%20just%20for%20a%20couple%20of%20Exchange%20admins.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20even%20on%20MS%20roadmap%3F%20Is%20MS%20working%20of%20a%20solution%20to%20this%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2117730%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2117730%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%20we%20are%20tried%20of%20Microsoft%20changing%20dates%2C%20same%20thing%20happened%20to%20us%20.%20when%20Microsoft%20changed%20the%20date%20the%20vendor%20will%20delay%20the%20process%20now%20we%20dont%20know%20.%20If%20we%20dont%20have%20date%20nothing%20will%20move.%20If%20you%20are%20working%20on%20Security%2C%20you%20have%20to%20be%20strict%20on%20time%20line.%20You%20know%20that%20user%20risk%2Csign%20in%20risk%20and%20many%20features%20will%20not%20work%20without%20enforcing.%20we%20are%20not%20happy%20with%20this%20change%20and%20all%20our%20work%20and%20preparation%20wasted.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2115277%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115277%22%20slang%3D%22en-US%22%3E%3CP%3EWhereas%20I%20normally%20harp%20on%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3Band%20have%20griped%20in%20the%20comments%20of%20many%20announcements%2C%20ironically%20I%20like%20this%20announcement%20quite%20a%20bit.%26nbsp%3B%20It's%20going%20to%20do%20a%20few%20things%20that%20many%20customers%20and%20partners%20will%20come%20to%20appreciate%3A%3C%2FP%3E%3CUL%3E%3CLI%3EThe%20automatic%20disablement%20by%20Microsoft%2C%20along%20with%20the%20Message%20Center%20notifications%2C%20is%20going%20to%20let%20customers%20most-easily%20determine%20their%20dependency%20on%20Basic%2Flegacy%20authentication.%3C%2FLI%3E%3CLI%3EIt'll%20also%20just%20'take%20care%20of%20it%20for%20you'%20for%20customers%20with%20no%20dependency%20on%20Basic%2Flegacy%2C%20but%20who%20aren't%20ready%20to%20enable%20Security%20Defaults.%3C%2FLI%3E%3CLI%3EGive%20Microsoft%20more%20time%20to%20develop%20finer-grained%20RBAC-like%20controls%20for%20Azure%20AD%2FOAuth%20applications.%26nbsp%3B%20Right%20now%2C%20particularly%20for%20unattended%20use%20cases%2C%20but%20even%20still%20for%20semi-interactive%2Fdelegated%20use%20cases%2C%20these%20applications%20are%20difficult%20to%20lock%20down%20properly.%26nbsp%3B%20There%20are%20only%20about%2012%20MS%20Graph%20API%20permissions%20which%20can%20be%20scoped%20to%20individual%20mailboxes%20(actually%20to%20a%20mail-enabled%20security%20group%2C%20via%20application%20access%20policies).%3C%2FLI%3E%3CLI%3EGive%20everyone%20who%20needs%20it%20more%20time%20to%20learn%20the%20new%20approach%20(i.e.%20OAuth%20grant%20types%2C%20which%20there%20are%20several%2C%20each%20with%20their%20own%20pro's%20and%20con's%20for%20the%20many%20scenarios%20they%20could%20cover).%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESo%2C%20glad%20to%20see%20this%20one%2C%20and%20thanks.%26nbsp%3B%20A%20current%20state%20on%20this%20grey%20area%20is%20something%20everyone%20will%20appreciate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2115208%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2115208%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20when%20will%20it%20be%20possible%20to%20have%20more%20fine%20grained%20control%20to%20block%20certain%20legacy%20protocols%20using%20Azure%20Conditional%20Access%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20can%20only%20choose%20between%20EAS%20and%20others%2C%20correct%3F%26nbsp%3BIt%20would%20be%20useful%20to%20allow%20discovery%20protocol%20while%20blocking%20most%20other%20legacy%20protocols%20using%20Conditional%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114877%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114877%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20block%203rd%20party%20apps%20and%20we%20block%20basic%20auth%20in%20EXO%20by%20default%20but%20we%20have%20to%20maintain%20a%20series%20of%203rd%20party%20apps%20in%20our%20tenant%20because%20the%20business%20needs%20them.%20We%20had%20great%20success%20with%20many%20vendors%20and%20internal%20developers%20but%20sadly%20there%20are%20many%20that%20take%20a%20lot%20of%20time%20to%20move%20and%20without%20a%20sense%20of%20urgency%20they%20will%20take%20another%20year%20to%20be%20ready.%3C%2FP%3E%3CP%3EDuring%20this%20time%20we%20need%20to%20mitigate%20the%20risks%20with%20conditional%20access%20policies%2C%20keep%20pressure%20on%20those%20vendors%20and%20have%20though%20discussions%20with%20our%20business.%20Instead%20we%20could%20be%20focussing%20on%20new%20innovations%20like%20VIVA%20instead%20%E2%98%BA%EF%B8%8F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114871%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114871%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193997%22%20target%3D%22_blank%22%3E%40Tonino%20Bruno%3C%2FA%3E%26nbsp%3Bif%20you%20block%20Basic%20including%203P%20apps%20as%20you%20said%2C%20why%20are%20you%20not%20safe%3F%20Because%20some%20other%20tenant%20didn't%3F%20That's%20not%20how%20a%20multi-tenant%20service%20like%20ours%20works...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114855%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3BOutlook%20POP%2FIMAP%20modern%20authentication%20for%20Exchange%2C%20Outlook.com%2C%20and%20Gmail%20but%20not%20for%20Exchange%20Online%3F%20Thunderbird....%20I%20hope%20you%20are%20joking.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20we%20have%20a%20requirement%20for%20POP%2C%20this%20is%20really%20a%20HUGE%20disappointment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114852%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114852%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B2%20years%20in%20advance%20notice%2C%20and%20now%202%20broken%20promises%20with%20no%20hard%20date%20for%20when%20you're%20going%20to%20disable%20basic%20authentication.%20No%20Microsoft%20is%20not%20being%20a%20leader%2C%20it's%20being%20simply%20being%20a%20follower.%20Commit%20to%20a%20change%20and%20do%20it%2C%20stop%20going%20halfway.%20Just%20to%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114843%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114843%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Greg%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20my%20opinion%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EIts%20because%20of%20these%20announcements%20that%20vendors%20are%20continuing%20to%20delay%20their%20updates%20to%20Modern%20Auth%20and%20cause%20us%20to%20maintain%20exceptions%20and%20be%20at%20risk.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWhile%20with%20the%20right%20push%20those%20vendors%20would%20be%20doing%20the%20right%20thing%20and%20move.%20We%20have%20the%20capabilities%20to%20block%20it%20and%20we%20do%20so%20but%20we%20are%20not%20safe%20with%20those%20few%20exceptions%20still%20lingering%20around%20...%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114836%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114836%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20we%20proved%20we're%20being%20industry%20leaders%20and%20bold%20by%20taking%20this%20stand%20to%20begin%20with.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20read%20this%20article%20and%20got%20the%20sense%20this%20showed%20a%20lack%20of%20commitment%20maybe%20I%20need%20to%20go%20back%20and%20add%20some%20more%20!'s.%20We're%20serious.%20We're%20adding%20more%20protocols%20that%20we%20previously%20had%2C%20and%20we're%20going%20to%20start%20turning%20off%20things%20customers%20don't%20know%20they%20left%20enabled.%20Then%20when%20we%20think%20enough%20customers%20are%20ready%2C%20we're%20counting%20down.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20committed%3F%20I%20promise%20you%20we%20are%2C%20and%20if%20any%20vendor%20points%20a%20customer%20at%20this%20blog%20saying%20we're%20not%2C%20to%20the%20customer%20-%20drop%20me%20a%20line.%20grtaylor%20at%20the%20place%20I%20work.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114828%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114828%22%20slang%3D%22en-US%22%3E%3CP%3EUnderstood%2C%20Greg%2C%20but%20it%20takes%20bold%20moves%20by%20industry%20leaders%20like%20Microsoft%20to%20persuade%20vendors%20to%20move%20away%20from%20dangerous%20auth%20mechanisms.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESure%2C%20you%20can%20disable%20Basic%20auth%20in%20Exchange%20Online%20with%20an%20authentication%20policy%2C%20but%20if%20a%20vendor%20only%20supports%20Basic%20auth%2C%20they'll%20tell%20you%20to%20turn%20it%20back%20on.%20They'll%20likely%20point%20back%20to%20this%20article%20saying%20that%20even%20Microsoft%20is%20not%20committed%20to%20removing%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114823%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114823%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20not%20stopping%20anyone%20from%20blocking%20Basic%20Auth%20to%20their%20tenant%20today.%20They%20can%2C%20and%20they%20should.%20Tenant%20admins%20can%20enable%20security%20defaults%20and%20it's%20done.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe're%20not%20backtracking%2C%20if%20anything%2C%20by%20increasing%20the%20number%20of%20protocols%20we're%20covering%20we're%20actually%20doing%20more%20in%20the%20long%20term.%20Timing%20is%20the%20biggest%20challenge%2C%20nothing%20more.%20We're%20lucky%20enough%20to%20have%20a%20lot%20of%20customers%2C%20and%20it's%20going%20to%20take%20them%20a%20while.%20We%20have%20to%20balance%20the%20security%20of%20the%20data%20and%20our%20customers%20ability%20to%20access%20it.%20It's%20their%20data%20after%20all.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F955896%22%20target%3D%22_blank%22%3E%40ExchangeOnline%3C%2FA%3E%26nbsp%3B-%20Outlook%20will%20not%20add%20support%20for%20Modern%20Auth%20for%20POP%20and%20IMAP.%20If%20you%20are%20using%20Outlook%2C%20use%20MAPI%2FHTTP.%20If%20you%20can't%2C%20use%20OWA.%20Or%20use%20a%20third%20party%20client.%20Thunderbird%20supports%20OAuth%20for%20POP%20and%20IMAP.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114808%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114808%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20the%20others%20have%20said.%20We%20have%20worked%20for%20nearly%20two%20years%20to%20push%20our%20app%20developers%20both%20internal%20and%20external%20to%20modern%20auth.%20We've%20put%20in%20a%20tremendous%20amount%20of%20work%20and%20now%20Microsoft%20is%20backtracking%20on%20this.%20Yes%2C%20we%20can%20remove%20Legacy%20Auth%20for%20our%20own%20tenant%2C%20but%20we%20may%20now%20run%20into%20third%20party%20developers%20that%20won't%20make%20the%20leap.%20We've%20already%20encountered%20a%20few%20in%20our%20last%20group%20of%20accounts%20to%20convert.%3CBR%20%2F%3EMicrosoft%20not%20disabling%20it%20implies%20consent%20to%20use%20and%20will%20result%20in%20third%20party%20developers%20avoiding%20the%20update.%20This%20is%20very%20disappointing%20news.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114778%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114778%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20update!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20will%20Outlook%20support%20modern%20authentication%20for%20POP%2FIMAP%20for%20Exchange%20Online%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20information%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fadministration%2Fcannot-connect-mailbox-pop-imap-outlook%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECan't%20connect%20to%20Outlook%20with%20POP%2FIMAP%20and%20Modern%20authentication%20-%20Exchange%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114299%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114299%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20more%20then%202%20years%20we%20are%20pushing%20vendors%20and%20our%20developers%20to%20move%20to%20more%20secure%20and%20modern%20authentication%20flows.%20We%20push%20by%20saying%20it's%20the%20whole%20industry%20is%20disabling%20it%20as%20it%20has%20a%20significant%20security%20risk.%20And%20now%20they%20will%20just%20see%20another%20excuse%20to%20postpone%20and%20this%20time%20it's%20%22until%20further%20notice%22%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20definitely%20not%20helping%20to%20ease%20the%20transition%20in%20my%20opinion.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2114255%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2114255%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20disappointed%20that%20Microsoft%20is%20not%20taking%20a%20stronger%20stance%20against%20basic%20authentication%20and%20disabling%20it%20(excluding%20SMTP)%20outright.%20Microsoft%20should%20have%20given%20a%20firm%20disabling%20date%20and%20disabled%20it%20then.%20Covid%2019%20is%20not%20a%20valid%20reason%20to%20back%20down%20from%20doing%20the%20right%20thing.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2136728%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2136728%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20is%20terrible%20news.%20As%20long%20as%20you%20let%20it%20be%20used%2C%20it%20will%20be%20used.%20Because%20other%20vendors%20will%20say%20%22microsoft%20supports%20this%2C%20so%20it%20cannot%20be%20a%20bad%20practice%22.%20Very%20disappointing.%20By%20introducing%20basic%20auth%20to%20the%20internet%20you%20did%20a%20bad%20thing%20security%20wise%2C%20now%20you%20are%20doing%20even%20worse%20by%20not%20terminating%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149770%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149770%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20some%20of%20the%20comments%20here%20saying%20this%20is%20bad%2C%20while%20it's%20understandable%20the%20desire%20to%20disable%20basic%20auth%20outright%2C%20there%20are%20issues%20for%20many%20developers%20moving%20away%20from%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20particular%20EWS%20applications%20cannot%20always%20move%20to%20using%20OAuth%20because%20this%20requires%26nbsp%3B%3CSTRONG%3Efull_access_as_app%26nbsp%3B%3C%2FSTRONG%3Epermission%20for%20an%20application%20in%20Azure%20AD%20and%20many%20IT%20policies%20will%20block%20this%20as%20it's%20granting%20an%20application%20%3CU%3Efull%20access%3C%2FU%3E%20to%20%3CSTRONG%3EALL%3C%2FSTRONG%3E%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20Graph%20API%20is%20preferred%20and%20provides%20granular%20mailbox%20permissions%2C%20this%20is%20a%20lot%20of%20time%20and%20investment%20to%20migrate%20to%20Graph%20API%2C%20and%20it%20has%20a%20number%20of%20issues.%20It%20also%20isn't%20support%20on-prem%2C%20so%20developers%20have%20to%20maintain%20both%20an%20EWS%20and%20Graph%20API%20implementation%20to%20support%20both%20on-prem%20and%20online%20installations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoftgraph%2Fmicrosoft-graph-docs%2Fissues%2F5659%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECannot%20segregate%20access%20by%20user%20mailboxes%20using%20EWS%20%C2%B7%20Issue%20%235659%20%C2%B7%20microsoftgraph%2Fmicrosoft-graph-docs%20(github.com)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149871%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149871%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20TJ%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20the%20same%20issue%2C%20but%20recently%20Microsoft%20enabled%20Scoping%20for%20EWS.%20See%26nbsp%3B%3CSPAN%3EMC237454%20for%20more%20info.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149873%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149873%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F328935%22%20target%3D%22_blank%22%3E%40tjmoore%3C%2FA%3E%26nbsp%3BFYI%2C%20on%20February%205th%2C%20they%20announced%20support%20for%20EWS%20with%20the%20EXO%20Application%20Access%20Policies.%26nbsp%3B%20This%20means%20your%20concern%20is%20now%20addressed%20and%20you%20can%20now%20narrow%20that%20permission%20down%20to%20mailboxes%20in%20a%20specific%20security%20group.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Foffice%2Fblogs%2Fapplication-access-policy-support-added-to-exchange-web-services%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Foffice%2Fblogs%2Fapplication-access-policy-support-added-to-exchange-web-services%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149879%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149879%22%20slang%3D%22en-US%22%3E%3CP%3EProbably%20good%20to%20note%20that%20there%20is%20a%20limit%20of%20100%20Application%20Access%20policies.%20Really%20hoping%20Microsoft%20will%20increase%20that.%20We%20have%20thousands%20of%20internal%20apps%20and%20given%20the%20nature%20of%20Application%20permissions%2C%20I%20see%20it%20becoming%20a%20problem%20very%20quickly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149902%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149902%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3B-%20That's%20great%20news!%20It%20sounds%20like%20that%20would%20solve%20the%20immediate%20issue%20and%20customers%20can%20be%20assured%20they%20can%20roll%20out%20with%20OAuth%20without%20opening%20up%20wide%20access.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2164094%22%20slang%3D%22en-US%22%3EBetreff%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2164094%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20a%20fan%20of%20disabling%20basic%20SMTP%20AUTH%20via%20a%20kill%20switch.%20so%20many%20printers%20will%20be%20rendered%20completly%20useless.%20At%20least%20allow%20usage%20of%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%3CSPAN%3E%3CSPAN%20class%3D%22hljs-pscommand%22%3ESet-CASMailbox%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-Identity%3C%2FSPAN%3E%20sean%40contoso.com%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-SmtpClientAuthenticationDisabled%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-literal%22%3E%24fals%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%20class%3D%22hljs-literal%22%3Ee%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FPRE%3E%3CP%3Eelse%20legacy%20devices%20won't%20be%20able%20to%20send%20emails.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2164170%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2164170%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3Et%20hat%20is%20what%20we%20do%2Fplan%20unfortunatly%20new%20tenants%20might%20need%20to%20ask%20support%2C%20to%20enable%20that%20option.%20we%20have%20customers%20with%20tons%20of%20xerox%20printers%2C%20which%20will%20probably%20never%20support%20xoauth2.%20we%20are%20also%20a%20company%20that%20develops%20software%20and%20we%20are%20planning%20to%20roll%20out%20msgraph%20and%20xoauth2%20later%20this%20year%20in%20our%20software%2C%20so%20that%20they%20delay%20it%20a%20little%20bit%2C%20helps%20us%20testing%20it%20more%2C%20but%20it%20is%20a%20pain%20in%20the%20**bleep**%20for%20web%20applications%20that%20also%20runs%20on%20premise%2C%20because%20you%20either%20need%20to%20tell%20your%20customers%20to%20create%20an%20application%20by%20themself%20or%20you%20need%20to%20have%20some%20kind%20of%20proxy%20to%20have%20a%20static%20redirect%20uri.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2164211%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2164211%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20only%20plan%20to%20disable%20SMTP%20AUTH%20for%20customers%20not%20using%20it%2C%20and%20admins%20will%20be%20able%20to%20re-enable%20SMTP%20AUTH%20even%20after%20we%20have%20fully%20turned%20off%20all%20the%20others.%20We%20know%20there%20are%20many%20devices%20out%20there%20that%20cannot%20be%20updated.%20If%20we%20(or%20better%20yet%2C%20you%2C%20the%20admin)%20turn%20off%20SMTP%20AUTH%20at%20the%20tenant%20level%2C%20you%20can%20then%20re-enable%20at%20the%20user%20level%20for%20the%20long%20tail%20of%20devices%20that%20can%20only%20use%20Basic.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2165620%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2165620%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3B%20Are%20you%20able%20to%20disable%20SMTP%20Auth%20with%20Set-CASMailboxPlan%3F%20I%20just%20checked%20and%20this%20is%20not%20an%20option%20we%20have%20available%20in%20our%20tenant%3F%20PopEnabled%20%26amp%3B%20ImapEnabled%20exist%20but%20not%20the%20SMTP%20protocol%2C%20which%20would%20have%20been%20a%20nice%20addition%20indeed.%3C%2FP%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2165949%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2165949%22%20slang%3D%22en-US%22%3E%3CP%3Ewell%2C%20today%20unfortunately%20without%20any%20notice%20SMTP%20Auth%20was%20suddenly%20disabled%20on%20tenant%20level.%20despite%20using%20SMTP%20AUTH%20withing%20my%20tenant.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20didn't%20receive%26nbsp%3B%3CSPAN%3Ea%20major%20change%20Message%20Center%2030%20days%26nbsp%3Bprior.%26nbsp%3BMC237741%20was%20released%20on%204th%20of%20Feb%20and%20today%20is%2025th%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2166012%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2166012%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20available%20on%20Set-CASMailbox%20(%3CSPAN%3E-SmtpClientAuthenticationDisabled).%20Does%20it%20not%20work%20as%20part%20of%20Set-CASMailboxPlan%20then%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F402655%22%20target%3D%22_blank%22%3E%40Ala_Aljundi%3C%2FA%3E%26nbsp%3B-%20I%20very%20much%20doubt%20we%20did%20that.%20If%20you%20can%20DM%20me%20your%20tenant%20name%20I'll%20check%20into%20it.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2166112%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2166112%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20part%20of%20CASMailboxPlan%2C%20but%20probably%20should%20be.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2203975%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2203975%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20wondering%20if%20you%20could%20please%20tell%20me%20if%20a%20certain%20form%20of%20authentication%20is%20classed%20as%20basic%20and%20potentially%20should%20be%20replaced.%20I%20am%20currently%20developing%20an%20Outlook%20add-in%20that%20needs%20to%20save%20the%20emails%20and%20attachments%20of%20clients%20to%20our%20database.%20I've%20used%20the%20Microsoft%20document%20%22Get%20attachments%20of%20an%20Outlook%20item%20from%20the%20server%22%20that%20uses%26nbsp%3BOffice.context.mailbox.getCallbackTokenAsync%20and%26nbsp%3BOffice.context.mailbox.ewsUrl%20to%20get%20a%20valid%20token%20to%20pass%20to%20our%20API.%20The%20API%20then%20coding%26nbsp%3BExchangeService%20service%20%3D%20new%20ExchangeService%2C%20Credentials%20%3D%20new%20OAuthCredentials(request.AttachmentToken)%2C%20Url%20%3D%20new%20Uri(request.EwsUrl).%20Is%20the%20above%20methodology%20classed%20as%20basic%20and%20needs%20updating%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2227689%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2227689%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20very%20happy%20with%20microsoft.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2228777%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2228777%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64125%22%20target%3D%22_blank%22%3E%40Jeremy%20Bradshaw%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20responding%2C%20that%20was%20the%20answer%20I%20was%20hoping%20for.%20Good%20to%20hear%20that%20I%20can%20still%20use%20the%20EWS%20API%20for%20awhile%20(hopefully%20years)%20as%20I%20tried%20to%20implement%20Microsoft%20Graph%20authentication%20in%20my%20Outlook%20add-in%20on%20desktop%20via%20MSAL%2C%20but%20the%20user%20experience%20wasn't%20great%20with%20all%20the%20Dialog%20boxes%20constantly%20popping%20up.%20I%20couldn't%20use%20SSO%20authentication%20either%20as%20my%20API%20is%20on%20a%20different%20domain%20to%20my%20web.%20I've%20also%20read%20on%20the%20Office-js%20github%20page%20there%20is%20a%20few%20issues%20with%26nbsp%3BOffice.context.auth.getAccessTokenAsync.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2244188%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2244188%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20have%20a%20user%20with%20multiple%20profiles%20on%20outlook%26nbsp%3B%3C%2FP%3E%3CP%3Eon%20multiple%20tenants%26nbsp%3B%3C%2FP%3E%3CP%3Eone%20of%20these%20tenants%20arent%20multifactor%20enabled%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20the%20outllook%20always%20asking%20for%20password%20but%20the%20screen%20dont%20appear%20for%20the%20password%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2245759%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2245759%22%20slang%3D%22en-US%22%3E%3CP%3EOur%26nbsp%3B%3CSPAN%3EOffline%20Address%20Book%20(OAB)%20stopped%20updating%20for%20the%20on-prem%20user%20when%20they%20are%20working%20on%20Cached%20mode%20within%20outlook%20application%20from%2018th%20Feb%2C%20but%20OAB%20is%20updating%20for%20online%20o365%20users%20and%20on-prem%20users%20using%20online%20mode%20along%20with%20OWA.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EJust%20wanted%20to%20know%20if%20this%20plan%20caused%20the%20issue%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20have%20on-prem%20Exchange%20server%202010.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EPlease%20advise%2C%20as%20it%20is%20affecting%26nbsp%3Balot%20of%20users%20within%20our%20organization.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2247880%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2247880%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F662810%22%20target%3D%22_blank%22%3E%40Abhishekkumar1%3C%2FA%3E%26nbsp%3B-%20no%2C%20nothing%20to%20do%20with%20this.%20This%20is%20an%20on-prem%20issue%20as%20you%20said%2C%20something%20changed%20in%20your%20on-prem%20environment.%20Call%20support%20if%20you%20need%20help.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2251255%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2251255%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20recently%20been%20granted%20a%20new%20Office%20365%20account%20with%202%20factor%20authentication%20and%20have%20been%20trying%20to%20set%20it%20up%20with%20Thunderbird%20on%20Windows%2010.%20Have%20been%20able%20to%20set%20up%20IMAP%20fine%20including%20logging%20in%2C%20downloading%20email%20and%20having%20Thunderbird%20granted%20access%20as%20a%20trusted%20app%20via%20the%20admin.%20However%20I'm%20having%20problems%20getting%20SMTP%20set%20up%20on%20the%20specified%20settings%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSTRONG%3Esmtp%3C%2FSTRONG%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSTRONG%3Eoffice365%3C%2FSTRONG%3E%3CSPAN%3E.com%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EPort%3C%2FSTRONG%3E%3CSPAN%3E%3A%20587%20Encryption%20method%3A%20TLS%20or%20STARTTLS%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20assume%20you%20would%20prefer%20we%20use%20TLS%20as%20it's%20more%20secure.%20You%20don't%20say%20in%20the%20guidance.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20any%20case%20being%20unable%20to%20get%20SMTP%20configured%20even%20using%20the%20same%20account%20details%20and%20password%20that%20work%20for%20IMAP%20and%20having%20thunderbird%20approved%20as%20a%20trusted%20mail%20client%2C%20it%20still%20doesn't%20work.%20I%20guess%20you've%20done%20a%20proprietary%26nbsp%3Bhack%20for%20Outlook%20clients.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20asked%20why%20this%20was%20the%20case%20and%20on%20two%20separate%20occasions%26nbsp%3Bgot%20back%20a%20response%20that%20amounted%20to%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22SMTP%20is%20a%20legacy%20protocol%20that%20is%20blocked%20by%20our%20enhanced%20security%2C%20and%20will%20soon%20be%20blocked%20by%20Microsoft%20in%20any%20event.%20If%20you%20would%20like%20more%20information%20on%20this%2C%20check%20out%20this%20link%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-february-2021-update%2Fba-p%2F2111904%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-february-2021-update%2Fba-p%2F2111904%22%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20a%20link%20to%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20appreciate%20it's%20been%20a%20while%20since%20I%20completed%20my%20Masters%20thesis%20in%20email%20protocols%2C%20but%20this%20sounds%20rather%20like%20%3CREMOVED%20by%3D%22%22%20profanity%3D%22%22%20filter%3D%22%22%3E%3C%2FREMOVED%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20give%20me%20an%20answer%20why%20this%20appears%20to%20work%20seamlessly%20with%20Outlook%20but%20not%20with%20Open%20source%20email%20clients%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20the%20intended%20solution%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fmsoffice%2Fforum%2Fmsoffice_outlook-mso_other-msoversion_other%2Fthunderbird-can-not-send-email%2Fb6653b44-8852-4aa9-9153-a165c7be983e%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fmsoffice%2Fforum%2Fmsoffice_outlook-mso_other-msoversion_other%2Fthunderbird-can-not-send-email%2Fb6653b44-8852-4aa9-9153-a165c7be983e%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBe%20as%20technical%20as%20you%20like%2C%20but%20be%20accurate.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECraig%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2251278%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2251278%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F659212%22%20target%3D%22_blank%22%3E%40siliconglen%3C%2FA%3E%26nbsp%3Bwhen%20you%20say%20%22Outlook%20works%20seamlessly%22%20are%20you%20saying%20you%20setup%20Outlook%20to%20use%20IMAP%20and%20SMTP%20against%20the%20same%20server%20settings%20and%20it%20works%3F%26nbsp%3B%20If%20not%2C%20then%20FYI%20Outlook%20doesn't%20use%20IMAP%20and%20SMTP%20by%20default%20for%20Exchange%20accounts.%26nbsp%3B%20But%20if%20so%20then%20please%20report%20back%20to%20confirm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20assumption%20is%20that%20you%20didn't%20realize%20Outlook%20uses%20something%20other%20than%20IMAP%2FSMTP%2C%20and%20basic%20auth%20has%20been%20disabled%20for%20SMTP%20on%20either%20your%20account%20or%20your%20tenant%2C%20and%20that%20is%20why%20Thunderbird%20is%20having%20that%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2251345%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2251345%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20also%20mean%20that%20app%20passwords%20wil%20not%20work%20anymore%20to%20download%20mail%20and%20calendar%20in%20iOS%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280081%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280081%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20delegation%20already%20implemented%3F%3CBR%20%2F%3EOur%20admins%20tell%20us%20that%20they%20cant%20register%20Azure%20app%5Cclientid%5Csecret%20%2C%20because%20i%20they%20do%20so%20-%20our%20software%20will%20get%20too%20much%20access%20rights%20for%20exchange%2C%20but%20we%20need%20just%20several%20mailboxes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280086%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280086%22%20slang%3D%22en-US%22%3E%3CP%3EHI%20Andrey%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApplicationAccessPolicies%20solve%20this%20problem.%20We%20use%20them%20and%20they%20work%20really%20well%20for%20most%20things.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMike%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280127%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280127%22%20slang%3D%22en-US%22%3E%3CP%3EAnd%20they%20work%20for%20exchange%20as%20well%3F%20We%20were%20told%20that%20it%20is%20impossible%20for%20now%20to%20limit%20access%20of%20App%20to%20several%20mailboxes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280359%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280359%22%20slang%3D%22en-US%22%3E%3CP%3EApplication%20Access%20Policies%20work%20for%20Exchange%20Web%20Services%20now%20with%20Exchange%20Online%20%2F%20365%2C%20and%20you%20can%20control%20by%20restricting%20to%20only%20specific%20mailboxes%2C%20or%20allow%20all%20except%20specific%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20from%20my%20investigations%20I%20could%20not%20see%20a%20way%20to%20limit%20access%20within%20a%20mailbox%2C%20e.g.%20if%20I%20want%20to%20restrict%20a%20mailbox%20to%20read-only.%20While%20there%20are%26nbsp%3BMail.Read%20%2F%20Calendar.Read%20etc%20permissions%2C%20they%20don't%20appear%20to%20work%20with%20EWS.%20I%20still%20needed%20to%20grant%20full_access_as_app%20permission%20for%20my%20application%20else%20EWS%20wouldn't%20work%20at%20all%2C%20but%20the%20Application%20Access%20Policies%20then%20limited%20access%20to%20specific%20mailboxes%2C%20but%20still%20full%20access%20to%20those%20mailboxes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20using%20Application%20Permissions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20use%20Delegate%20Permissions%2C%20in%20which%20case%20you're%20signing%20in%20as%20a%20specific%20user%20and%20permissions%20are%20the%20mailbox%20permissions%20for%20that%20user%20I%20would%20assume.%20That%20requires%20OAuth%20with%20consent%20screen%20sign-in%2C%20which%20is%20no%20use%20for%20the%20application%20I'm%20working%20on%20as%20it's%20an%20unattended%20service%20application.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280570%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280570%22%20slang%3D%22en-US%22%3E%3CP%3EYes.%20They%20are%20specific%20to%20Exchange%20Online%20and%20work%20as%20expected.%20You%20can%20limit%20to%20a%20single%20mailbox%20or%20group.%20The%20only%20hole%20in%20the%20system%20is%20that%20it%20has%20to%20be%20a%20Mail%20Enabled%20Security%20Group%20that%20you%20scope%20to.%20(Exclude%20or%20Include)%20That%20prohibits%20the%20use%20of%20Dynamic%20Groups.%20Outside%20of%20that%2C%20it%20works%20great%20and%20now%20even%20works%20on%20EWS%20(since%20February.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-limit-mailbox-access%23%3A~%3Atext%3DTo%2520configure%2520an%2520application%2520access%2520policy%2520and%2520limit%2CTest%2520the%2520newly%2520created%2520application%2520access%2520policy.%2520%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EScoping%20application%20permissions%20to%20specific%20Exchange%20Online%20mailboxes%20-%20Microsoft%20Graph%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2228001%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2228001%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F994845%22%20target%3D%22_blank%22%3E%40GreatOfficeAddins%3C%2FA%3E%26nbsp%3Bthe%20info%20you%20provided%20shows%20EWS%20API%20using%20OAuth%20authentication%20and%20therefore%20no%2C%20it%20isn't%20using%20Basic.%26nbsp%3B%20Not%20sure%20if%20you%20already%20would've%20received%20an%20answer%20elsewhere%2Cbut%20didn't%20see%20one%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2251323%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2251323%22%20slang%3D%22en-US%22%3E%3CP%3EI%20logged%20into%20exchange%20and%20granted%20access%20to%20Microsoft%20to%20modify%20the%20app%20settings.%20There%20being%20no%20way%20to%20inspect%20the%20settings%20I%20was%20assuming%20it%20was%20SMTP.%20I'm%20guessing%20now%20it's%20MAPI%2C%20but%20was%20concerned%20about%20the%20zero%20day%20exploits%20earlier%20in%20the%20year.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMail%20collection%20via%20IMAP%2FTLS%20and%20OATH2%20is%20fine.%20Does%20the%20admin%20need%20to%20go%20through%20the%20same%20process%20to%20enable%20SMTP%20the%20same%20as%20IMAP%20as%20there%20seems%20to%20be%20no%20way%20to%20request%20this%3F%26nbsp%3B%20Since%20most%20of%20the%20rest%20of%20the%20world%20uses%20SMTP%20what's%20the%20way%20to%20set%20this%20up%20in%20the%20most%20secure%20way%20with%20exchange%3F%20You're%20really%20going%20to%20block%20SMTP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2369759%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2369759%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B%20Thunderbird%20does%20support%20OAuth%20IMAP%2C%20but%20they%20do%20it%20wrong...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Their%20Client%20ID%20and%20Secret%20are%20stored%20in%20the%20source%20code%2C%20meaning%20anyone%20can%20impersonate%20TB%20using%20a%20fraudulent%20TB%20app.%3C%2FP%3E%3CP%3E2)%20Their%20AzureAD%20Application%20is%20configured%20as%20a%20Confidential%20Client.%20It%20should%20be%20configured%20as%20a%20Desktop%20Client.%3C%2FP%3E%3CP%3E3)%20RE%3A%20Confidential%20Client%20configuration%2C%20Conditional%20Access%20policies%20%3CU%3E%3CSTRONG%3Edo%20not%20work%3C%2FSTRONG%3E%3C%2FU%3E%26nbsp%3Bwith%20Thunderbird%20configured%20with%20OAuth2%20except%20for%20the%20initial%20authentication.%20Therefore%20admins%20cannot%20restrict%20access%20once%20a%20token%20is%20granted.%20Refresh%20tokens%20survive%20password%20changes%2Fresets%2C%20so%20no%20reauthentication%20prompts.%20The%20only%20way%20to%20get%20a%20reauthentication%20is%20to%20expire%20the%20token.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESuggesting%20Thunderbird%20OAuth2%20is%20not%20a%20real%20good%20solution%20for%20Enterprise.%20I%20have%20many%20Thunderbird%20users%20who%20are%20HEAVILY%20invested%20using%20Basic%20Auth%20IMAP%20right%20now.%20I%20dread%20the%20drop%20dead%20date%20when%20I%20have%20to%20break%20the%20news%20that%20they%20all%20have%20to%20go%20to%20OWA%20or%20Outlook%20because%20TB%20can't%20be%20used.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you're%20at%20all%20interested%2C%20check%20out%26nbsp%3BCase%20%23s%2021139004%2C%26nbsp%3B22203592%2C%26nbsp%3B120072824001696.%26nbsp%3B%20They%20might%20all%20be%20linked%20up%20somewhere.%20There%20was%20collaboration%20between%20Exchange%20Team%20and%20AzureAD%20Team%20on%20the%20matter%20to%20come%20to%20these%20conclusions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJeremy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2256206%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2256206%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20that%20Basic%20Auth%20will%20be%20intact%20for%20now%20as%20there%20are%20issues%20with%20the%20Powershell%20EXO%20v2%20modules%20(see%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmodern-auth-and-unattended-scripts-in-exchange-online-powershell%2Fbc-p%2F2246699%23M30056%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmodern-auth-and-unattended-scripts-in-exchange-online-powershell%2Fbc-p%2F2246699%23M30056%3C%2FA%3E).%20Hope%20they%20can%20fix%20things%20so%20we%20can%20say%20goodbye%20to%20basic%20auth.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2164117%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2164117%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F875520%22%20target%3D%22_blank%22%3E%40schmitch%3C%2FA%3E%26nbsp%3B%2Care%20you%20able%20to%20get%20away%20with%20Set-CasMailbox%20to%20set%20client%20SMTP%20submission%20disabled%20to%20true%2C%20on%20all%20the%20mailboxes%20except%20those%20where%20they%20need%20it%2C%20and%20then%20use%20Set-CasMailboxPlan%20to%20make%20it%20disabled%20%3D%20true%20for%20all%20new%20%2Fnewly%20migrated%20mailboxes%3F%3C%2FP%3E%3CP%3EI%20think%20that%20should%20let%20you%20NOT%20disable%20it%20at%20the%20tenant%20level%20while%20still%20having%20it%20disabled%20for%20mostly%20all%20mailboxes%2C%20including%20new%20ones%20going%20forward%2C%20but%20still%20enabled%20for%20the%20ones%20that%20truly%20need%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2165770%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2165770%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193997%22%20target%3D%22_blank%22%3E%40Tonino%20Bruno%3C%2FA%3E%26nbsp%3BI%20just%20checked%20and%20confirmed%2C%20nope%20I%20cannot.%26nbsp%3B%20I%20was%20hoping%2C%20but%20not%20in%20a%20place%20to%20double%20check%20when%20I%20responded%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F875520%22%20target%3D%22_blank%22%3E%40schmitch%3C%2FA%3E%26nbsp%3B.%26nbsp%3B%20But%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3Bstated%2C%20you%3CEM%3E%20can%3C%2FEM%3E%20go%20about%20it%20from%20the%20opposite%20angle%20-%20disable%20at%20the%20tenant%20level%2C%20then%20only%20enable%20for%20the%20necessary%20accounts.%26nbsp%3B%20So%20essentially%20the%20same%20result%2C%20but%20not%20using%20my%20hopeful%20suggestion%3A).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2634599%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2634599%22%20slang%3D%22en-US%22%3E%3CP%3EWhy%20haven't%20you%20found%20a%20way%20to%20implement%20oauth%20for%20syncing%20from%20other%20mailboxes%20on%20Outlook.com%20instead%20of%20removing%20the%20ability%20to%20collect%20mail%20from%20other%20inboxes.%20This%20is%20really%20an%20unfortunate%20removal%20of%20functionality.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2111904%22%20slang%3D%22en-US%22%3EBasic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20February%202021%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2111904%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22background%3A%20%23F0F0F0%3B%20padding%3A%20.5em%3B%20margin%3A%201em%200%201em%200%3B%22%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3EUpdate%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%20For%20latest%20information%20related%20to%20basic%20authentication%20in%20Exchange%20Online%2C%20please%20see%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-september-2021-update%2Fba-p%2F2772210%22%20target%3D%22_self%22%3EBasic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20September%202021%20Update%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EWe%20previously%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Eannounced%3C%2FA%3E%20we%20would%20begin%20to%20disable%20Basic%20Auth%20for%20five%20Exchange%20Online%20protocols%20in%20the%20second%20half%20of%202021.%20Due%20to%20the%20pandemic%20and%20the%20effect%20it%20has%20on%20priorities%20and%20work%20patterns%2C%20we%20are%20announcing%20some%20important%20changes%20to%20our%20plan%20to%20disable%20Basic%20Auth%20in%20Exchange%20Online.%20Please%20read%20this%20post%20carefully%2C%20as%20there%E2%80%99s%20a%20lot%20of%20detail.%3C%2FP%3E%0A%3CP%3EThe%20first%20change%20is%20that%20until%20further%20notice%2C%20we%20will%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20be%20disabling%20Basic%20Auth%20for%20any%20protocols%20that%20your%20tenant%20is%20%3CSTRONG%3E%3CEM%3Eusing%3C%2FEM%3E%3C%2FSTRONG%3E.%20When%20we%20resume%20this%20program%2C%20we%20will%20provide%20a%20minimum%20of%20twelve%20months%20notice%20before%20we%20block%20the%20use%20of%20Basic%20Auth%20on%20any%20protocol%20being%20used%20in%20your%20tenant.%3C%2FP%3E%0A%3CP%3EWe%20%3CSTRONG%3Ewill%3C%2FSTRONG%3E%20continue%20with%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-april-2020-update%2Fba-p%2F1275508%22%20target%3D%22_blank%22%3Eplan%3C%2FA%3E%20to%20%3CSTRONG%3Edisable%20Basic%20Auth%20for%20protocols%20that%20your%20tenant%20is%20%3CEM%3Enot%3C%2FEM%3E%20using%3C%2FSTRONG%3E.%20Many%20customers%20don%E2%80%99t%20know%20that%20unneeded%20legacy%20protocols%20remain%20enabled%20in%20their%20tenant%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESecurity%20Defaults%3C%2FA%3E%20takes%20care%20of%20this%20for%20newly%20created%20tenants%20now).%20We%20plan%20to%20disable%20Basic%20Auth%20for%20these%20unused%20protocols%20to%20prevent%20potential%20mis-use.%20We%20will%20do%20this%20based%20on%20examining%20recorded%20usage%20of%20these%20protocols%20by%20your%20tenant%2C%20and%20we%20will%20send%20Message%20Center%20posts%20providing%2030%20days%20notice%20of%20the%20change%20to%20your%20tenant.%20This%20work%20will%20begin%20in%20a%20few%20months.%3C%2FP%3E%0A%3CP%3EThe%20next%20change%20to%20the%20previously%20announced%20plan%20is%20that%20we%20are%20adding%20MAPI%2C%20RPC%2C%20and%20Offline%20Address%20Book%20(OAB)%20to%20the%20protocols%20included%20in%20this%20effort%20to%20further%20enhance%20data%20protection.%3C%2FP%3E%0A%3CP%3EAs%20clarified%20in%20previous%20blogs%2C%20Outlook%20depends%20upon%20Exchange%20Web%20Services%20(EWS)%20for%20core%20features%3B%20therefore%2C%20tenants%20using%20Basic%20Auth%20with%20Outlook%20must%20enable%20Modern%20Auth%20before%20Basic%20Auth%20for%20EWS%20is%20disabled.%20Outlook%20uses%20only%20one%20type%20of%20authentication%20for%20all%20connections%20to%20a%20mailbox%2C%20so%20including%20these%20protocols%20should%20not%20adversely%20affect%20you.%20If%20EWS%20has%20Basic%20Auth%20disabled%2C%20Outlook%20won%E2%80%99t%20use%20Basic%20Auth%20for%20any%20of%20the%20other%20protocols%20or%20endpoints%20it%20needs%20to%20access.%3C%2FP%3E%0A%3CP%3EAt%20this%20time%2C%20we%20are%20not%20including%20AutoDiscover%2C%20another%20protocol%20and%20endpoint%20used%20by%20Outlook.%20There%20are%20two%20reasons%20for%20this.%20First%2C%20AutoDiscover%20doesn%E2%80%99t%20provide%20access%20to%20user%20data%3B%20it%20only%20provides%20a%20pointer%20to%20the%20endpoint%20that%20the%20client%20should%20use%20to%20access%20data.%20Second%2C%20as%20long%20as%20a%20tenant%20has%20some%20EWS%20or%20Exchange%20ActiveSync%20(EAS)%20usage%2C%20AutoDiscover%20is%20necessary%20for%20client%20configuration.%20Once%20Basic%20Auth%20is%20disabled%20for%20the%20vast%20majority%20of%20tenants%2C%20we%E2%80%99ll%20consider%20disabling%20Basic%20Auth%20for%20AutoDiscover.%3C%2FP%3E%0A%3CP%3EFinally%2C%20we%20are%20aligning%20our%20plans%20with%20those%20for%20SMTP%20AUTH.%20We%20had%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Epreviously%20announced%3C%2FA%3E%20that%20we%20would%20begin%20to%20disable%20SMTP%20AUTH%20for%20newly%20created%20tenants%20(and%20have%20already%20done%20so)%2C%20and%20that%20we%20would%20expand%20this%20to%20disable%20SMTP%20AUTH%20for%20tenants%20who%20do%20not%20use%20it.%20We%20are%20continuing%20to%20do%20that%2C%20but%20we%20will%20include%20SMTP%20AUTH%20in%20all%20future%20communications%20and%20Message%20Center%20posts%20to%20make%20it%20easier%20for%20you%20to%20track%20the%20overall%20plan.%3C%2FP%3E%0A%3CP%3EIn%20summary%2C%20we%20have%20postponed%20disabling%20Basic%20Auth%20for%20protocols%20in%20active%20use%20by%20your%20tenant%20until%20further%20notice%2C%20but%20we%20will%20continue%20to%20disable%20Basic%20Auth%20for%20any%20protocols%20you%20are%20not%20currently%20using.%20The%20overall%20scope%20of%20this%20change%20now%20covers%20EWS%2C%20EAS%2C%20POP%2C%20IMAP%2C%20Remote%20PowerShell%2C%20MAPI%2C%20RPC%2C%20SMTP%20AUTH%20and%20OAB.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--528000738%22%20id%3D%22toc-hId--526994411%22%3EHow%20Will%20I%20Know%20When%20My%20Tenant%20Is%20Affected%3F%3C%2FH2%3E%0A%3CP%3EWe%20will%20publish%20a%20major%20change%20Message%20Center%20post%20to%20your%20tenant%2030%20days%20prior%20to%20disabling%20Basic%20Auth%20for%20any%20protocols%20in%20your%20tenant.%20Major%20changes%20also%20trigger%20email%20notifications.%20We%20will%20also%20publish%20a%20Message%20Center%20post%20when%20we%20have%20made%20the%20actual%20change.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1959512095%22%20id%3D%22toc-hId-1960518422%22%3EWhat%20If%20My%20Tenant%20is%20Using%20One%20of%20These%20Protocols%3F%3C%2FH2%3E%0A%3CP%3EIf%20your%20tenant%20is%20using%20any%20of%20these%20protocols%20in%20the%2030%20days%20prior%20to%20us%20randomly%20selecting%20your%20tenant%20for%20potential%20inclusion%2C%20we%20won%E2%80%99t%20disable%20them.%20Should%20you%20find%20a%20Message%20Center%20post%20to%20the%20contrary%2C%20please%20let%20us%20know%20(details%20on%20how%20to%20let%20us%20know%20will%20be%20in%20the%20Message%20Center%20post)%20and%20we%E2%80%99ll%20exclude%20you%20from%20the%20change.%20You%E2%80%99ll%20be%20able%20to%20do%20this%20right%20up%20until%20we%20disable%20these%20protocols%20for%20good%20(at%20a%20future%20date).%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-152057632%22%20id%3D%22toc-hId-153063959%22%3EHow%20Do%20I%20Know%20if%20My%20Tenant%20is%20Currently%20Using%20One%20of%20the%20Impacted%20Protocols%3F%3C%2FH2%3E%0A%3CP%3EIf%20you%20aren%E2%80%99t%20sure%20if%20you%20are%20using%20Basic%20Auth%20with%20any%20of%20the%20impacted%20protocols%20you%20can%20use%20the%20Azure%20AD%20Sign-In%20Logs%20to%20look%20at%20usage%20in%20your%20tenant.%20Read%20more%20about%20that%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fnew-tools-to-block-legacy-authentication-in-your-organization%2Fba-p%2F1225302%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1655396831%22%20id%3D%22toc-hId--1654390504%22%3EWhat%20Happens%20If%20I%20Missed%20the%20Message%20Center%20Post%20and%20Need%20These%20Protocols%20Re-Enabled%3F%3C%2FH2%3E%0A%3CP%3EWe%20are%20building%20the%20capability%20to%20allow%20you%20to%20re-enable%20the%20protocols%20yourself%20via%20Support%20Central%20in%20the%20Microsoft%20365%20admin%20center.%20If%20you%20find%20yourself%20in%20this%20situation%2C%20you%E2%80%99ll%20be%20able%20to%20request%20help%20in%20the%20Microsoft%20365%20admin%20center%2C%20and%20we%E2%80%99ll%20allow%20you%20to%20re-enable%20these%20protocols%20until%20we%20disable%20them%20in%20the%20future.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-832116002%22%20id%3D%22toc-hId-833122329%22%3EHow%20Does%20This%20Change%20Affect%20Authentication%20Policies%3F%3C%2FH2%3E%0A%3CP%3EThe%20switch%20we%20use%20to%20disable%20Basic%20Auth%20for%20unused%20protocols%20is%20not%20available%20to%20tenant%20admins.%20You%20won%E2%80%99t%20see%20any%20changes%20or%20additions%20to%20your%20existing%20authentication%20policies%20(if%20you%20have%20any)%20and%20our%20change%20will%20take%20precedence%20over%20any%20policies%20you%20might%20have.%20We%20understand%20this%20might%20be%20a%20bit%20confusing%2C%20so%20we%20wanted%20to%20note%20it%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20hope%20this%20change%20is%20good%20news%20for%20those%20of%20you%20who%20needed%20more%20time%20to%20complete%20a%20transition%20from%20Basic%20Auth.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF6600%22%3EThe%20Exchange%20Team%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2111904%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20previously%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-july-update%2Fba-p%2F1530163%22%20target%3D%22_blank%22%3Eannounced%3C%2FA%3E%20we%20would%20begin%20to%20disable%20Basic%20Auth%20for%20five%20Exchange%20Online%20protocols%20in%20the%20second%20half%20of%202021.%20we%20are%20announcing%20some%20important%20changes%20to%20our%20plan%20to%20disable%20Basic%20Auth%20in%20Exchange%20Online.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2111904%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAll%20Posts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Sep 24 2021 07:43 AM
Updated by: