Basic Authentication and Exchange Online – July Update
Published Jul 28 2020 03:16 PM 132K Views

Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.

Today we are pleased to announce some new changes to Modern Authentication controls in the Microsoft 365 Admin Center, exposing simpler options for customers to manage both Modern and Basic Authentication requirements within their organizations.  Available from within the Admin Center under Settings > Org Settings > Modern Authentication (alternatively, search for “Modern Authentication” in portal Home page Search field), customers may now quickly designate the protocols in their tenant that no longer require Basic Authentication to be enabled.

While additional granularity is available through PowerShell, once Modern Authentication is enabled these new UI options will provide Administrators simpler controls to manage Basic Authentication access to common protocol combinations.  These new changes, rolling out to all tenants, align with our entry from the M365 Roadmap.


Behind the scenes, these new Modern Auth UI options utilize Authentication Policies.  For customers that have not created their own Authentication Policies in the past, modifying any of these selections in the new UI (POP3 in the example below) will automatically create the first new Authentication Policy. This policy is visible only through PowerShell.  For advanced customers that may already be utilizing Authentication Policies, changes within the UI will modify their existing default policy.  You’ll want to look through your Azure AD Sign-in logs to get a good idea of which protocols clients are using before making any changes.


Additional Information
We realize there may be some confusion around different efforts Microsoft is making to provide more secure environments for our customers.  The easiest answer for customers who aren’t using Basic Authentication, and don’t have a complicated auth story, is to enable Security Defaults.  Otherwise, while the below isn’t an exhaustive list, we thought it would be a good idea to try to cover a few additional details here. 

Modern vs. Basic Authentication:  Hopefully by now we don’t need to expand upon the virtues of Modern Authentication.  Enabled by default for all new tenants since August 1, 2017, Modern Auth is the superior alternative for all users and applications connecting to Office 365.  If you haven’t turned Modern Authentication on yet we certainly recommend it.  Just be aware this switch affects all the Outlook for Windows clients in your entire tenant, so make sure you are clear on how it may affect your users.

Security Defaults (for organizations without Azure AD Premium licenses):  If your tenant was created on or after October 22, 2019, it is possible that Security Defaults are already enabled in your tenant. In an effort to provide basic level of security, Security Defaults are being rolled out to all newly created tenants.  Security Defaults block all Legacy/Basic Authentication and enable Modern/Multi-Factor Authentication for all users.  We should clarify that Security Defaults are typically tailored for new customers or those who are new to managing their own security story.  While the end results are similar, Security Defaults do not utilize Exchange Authentication Policies under the hood.  Thus, to prevent overlap and confusion, we restrict the combination of these controls in the new Modern Auth UI.  If Security Defaults are enabled in the organization, administrators attempting to use new Modern Auth UI will be presented with the following text.  (You should disable Security Defaults only if you understand the risks of using Basic Authentication.)


Conditional Access (for organizations with Azure AD Premium licenses): If you tenant is licensed with Azure AD Premium or EMS licenses then you will be able to block legacy/basic authentication using Conditional Access for a set or all users in your organization. For more information see: How to: Block legacy authentication to Azure AD with Conditional Access.

Authentication Policies  As announced last year, the Exchange Team is planning to disable Basic Authentication for the EAS, EWS, POP, IMAP, and RPS protocols in the second half of 2021. As a point of clarity, Security Defaults and Authentication Policies are separate, but provide complementary features. We recommend that customers use Authentication Policies to turn off Basic Authentication for a subset of Exchange Online protocols or to gradually turn off Basic Authentication across a large organization. While more details will come in future announcements, as mentioned in April, we plan to begin disabling Basic Authentication in existing tenants with no recorded usage as early as October 2020.  We will provide notifications via Message Center posts before we disable Basic Authentication for any tenant.

Client SMTP Submission (SMTP AUTH)While SMTP AUTH Basic Authentication will not be deprecated, the use of Basic Authentication within SMTP AUTH is still considered insecure.  There are multiple initiatives for SMTP AUTH that are worth calling out, and administrators should have familiarity with each of these:

  • As announced in April, we have additionally disabled SMTP AUTH for all new Office 365 tenants by utilizing the SmtpClientAuthenticationDisabled parameter, and we’ll be expanding this effort over the next several months.  If your tenant doesn’t need to use SMTP AUTH at all, this option allows the granularity to disable SMTP Auth for individual users via Set-CASMailbox or Set-TranportConfig for tenants.  Read more here.
  • For customers that still require SMTP AUTH, we’ve got you covered, with new options for implementing OAuth 2.0 for client applications. After updating your SMTP AUTH clients, please make sure you block legacy authentication methods via one of the following:
  • Security Defaults (which as mentioned covers all protocols including SMTP AUTH) if enabled will block Basic Authentication access to SMTP AUTH for all end users within a tenant.  Security Defaults is being rolled out as default for all new tenants and is the recommended action if it works for your organization.
  • Authentication Policies, either via PowerShell or the new UI announced here today, can also block Basic Authentication access to SMTP AUTH for all or groups of users. 

Exchange Online PowerShell:  As we announced recently, Exchange Online PowerShell V2 module is now fully released and this is what you should use to connect using Modern Authentication. We have also recently announced the preview program which will allow you to run PowerShell scripts with Modern Authentication (using certificates).

If you have any feedback, please let us know in the comments below.

The Exchange Team

Copper Contributor

Great summary!, is there any plans to build a SMTP client that supports Modern Auth, something like Send-MailMessage? And will IIS SMTP Service also provide support for Modern Auth at some point? We have quite a number of IIS SMTP Instances around the global using basic auth to relay mails for internal applications, printers and other devices.

Brass Contributor

How about creating a specific web page showng all the information/updates/guidelines about moving from basic auth to modern auth?

These topics are already discussed in this Exchange Team Blog. But I realize that they are too scattered across multiple blogs and I have to go back and forth to have an overview on this matter.

we like to enable Modern authentication Only for Teams. Do you have the option

@The_Exchange_Team Please let us know when it will be pushed to the tenant. Still not available in our tenant. we have started deploying Teams and but that will be the good candidate to test with if we enable modern authentication only for Teams

Copper Contributor

Two questions here.


1. What happens if Authentication Polices are in use, but there is no default policy set?

2. How does this tie in with using Conditional Access Policies in Azure to block Basic Authentication?


I agree with @victorguo in creating a single page with the latest information on Modern Authentication, especially around the best way to disable it. There are multiple conflicting options to choose from and it is difficult to know which is best/preferred. For example, I have one tenant that uses Conditional Access Policies (because this seemed like the best way to do it from the documentation) and another that uses Authentication Policies (because they don't have Azure AD P1/P2 licenses).


Thanks for your consideration.

Copper Contributor



There are issues with the OAuth V2 protocol with personal accounts ( / when using the EWS API.

It seems like the access_token is not a valid JWT token as it should be, see here.


There is an active issue on GitHub since last year:


I don't understand how this migration will work if the protocol does not yet support for personal accounts.

BTW - The official Microsoft Outlook email client is still using Basic Authentication with personal accounts.


To be clear, it does works with an Office365 account but not with accounts.


I hope to get an official answer to this issue.




Hi @Tonino Bruno,


There are no plans to create a Modern Auth command line-based SMTP Client.

Regarding, Windows SMTP Server on IIS, that product has been deprecated since Windows Server 2012 R2 and there has been no development on it for almost that long. It is being removed from future versions of Windows Server FYI.  



@victorguo This is something we have discussed and are considering.  Thank you for the feedback.


@Sankarasubramanian Parameswaran This new UI should be enabled for your tenant.  Teams utilizes Modern Authentication by default, but if you have a need to disable it for just Exchange you can do that from our new UI, though we certainly wouldn't recommend it.



- If your get-organizationconfig does not have a Default Authentication Policy defined, toggling and saving the options within the new UI will create a new default policy.

- When looking at Authentication Policies versus Conditional Access, you should consider these as complementary, although there is some overlap. Authentication Policies will block requests (for users we know) during the initial connection to Exchange Online, and before they reach Azure AD or your on-premises IdP. The benefit of this approach is that brute force or password spray attacks never reach the iDP.  Take a look at the diagrams and workflows here.  For customers utilizing Conditional Access, it provides exceptional control for those authentication requests that do make it beyond Exchange and into the organization. 

Copper Contributor

Hi, @Sean_Stevenson 


We are software developer and we are using some of the "web service (ASMX)" to work with the SharePoint service for my clients; as those components of SharePoint (e.g. WebParts, Metadata) cannot be supported by RESTFul APIs thus we would still be requiring a O365 user credential for integration.


We are just wondering for those O365 tenants with ZERO usage and as soon as their O365 organizations are enforced to disabling Basic Authentication by October 2020. Would the above mentioned "web service (ASMX) for sharepoint" be impacted?


If the above scenario will happen, can those "ZERO usage" O365 tenants / administrators re-enable the Basic Authentication in Azure AD or will there be other workaround for software developers to keep using the "web service (ASMX) for sharepoint" with O365 user credential (i.e. BASIC Authentication)? 


Appreciate your feedback. Thank you. 

@The_Exchange_Team  we have not switched on Modern authentication even we have Team client. My question related to the settings offered by Modern authentication, if i enable modern authentication and move with one by option and outlook will be the last. 


Start with active sync, Pop 3,imap,Exchange. Please let us know whether it will work

Iron Contributor


@Sean_Stevenson any MS recommendations to replace IIS SMTP to connect on prem applications, printers, ... to O365?

Thanks for feedback


@ericng99 Sorry, I have no knowledge of Sharepoint endpoints. 


@Vincent VALENTIN We officially recommend having an Exchange Server on-premises to handle those applications or devices if they cannot submit emails directly to Exchange Online. Read more about it here: 

Copper Contributor

If I modify the default authentication policy and disable all the basic authentication protocols using the "new available" GUI settings, I notice that AllowBasicAuthOutlookService and AllowBasicAuthReporingWebServices are still enabled in the created policy. 


Is there any specific reason for not including these settings in the GUI at this time? And if I block legacy authentication using a Conditional Access policy I assume that the two mentioned settings will be blocked? Is the effect of the CA policy the same of having a authentication policy where all AllowBasicAuth* settings are set to False/Disabled?


I've written down my experiences with phasing out Legacy authentication so far at my blog here, hoping to provide a central location for information related to this upcoming change. I'll try to keep it up to date as much as possible with my learnings over time. 

Copper Contributor

I'm trying to figure out to use modern auth and disable basic auth for all mailboxes but a few which still need to use SMTP with Basic Auth. The documentation is not clear about how to do that. It looks like I need to


  1. Disable Security Defaults in Azure AD if they are enabled.
  2. Set-TransportConfig -SmtpClientAuthenticationDisabled $false 
  3. Use the new UI described here (or new/set-authenticationpolicy) to enable modern auth and disable basic auth for everything which will create/change the default authentication policy.
  4. Create a second authentication policy via new-authenticationpolicy) which enables SMTP Basic Auth
  5. Assign the second policy to the few mailboxes which still need SMTP basic auth via the set-user cmdlet and wait for 24h until the settings are a efffective. Or use set-user -StsRefreshtokenValidFrom $([Sytem.DateTime]::UtcNow)  to shorten that to 30 minutes.

Is there an easier way to achieve that?

Iron Contributor

Great write up only have one piece of feedback to share. I feel this change should have been better communicated in relation to what all will be affected when admin decides to make changes using the new Modern Auth policy UI.


I wasn't aware of any mention of MS Cloud team setting up Org wide Default Authentication policy in our tenant. I would of rather created my own Default Org policy prior to making changes via this new UI in the Modern Authentication section of Azure Portal.  I would send additional communication to bring more attention to the fact if you don't currently have Default Org policy making any changes to the protocols will create a new Default Org Policy and set as default when prior to that change there was no policy set.


I think it's great to see Microsoft Security team continuing to advance security in the environment as often as possible. I think it would be beneficial to include multiple notices in the O365 & Azure changes emails and include updates in the O365 message center to reduce the chance of admins not knowing a change has occurred because no notice was given when said changes were made via the modern authentication UI. 


Iron Contributor

We continue to see basic auth requirements for autodiscover for some hybrid migrations.


One issue we have had in the past is outlook clients on unmanaged devices where the reg key cannot be pushed automatically. Often users (if allowed... another topic completely!) install office and setup outlook on local unmanaged devices. Particularly during COVID!


As RPC is still supported on prem, if basic auth for autodiscover in EXO is disabled how will we be able to address these unmanaged devices other than letting them log a support ticket or trying to track these users. I have a headache already just thinking about it!


Any thoughts or workarounds would be much appreciated!



Copper Contributor

The v2 module only contains 9 cmdlets if basic auth is turned off on the client machines.


I’ve experienced issues even using those 9 when basic auth is disabled locally. The cmdlets just hang there and never throw an error.


Do we have a timeline as to when the other 700 cmdlets will be available?


Iron Contributor

When EAS is disabled using the portal (as shown), it seems to shut down EAS entirely (including those using iPhones and modern authentication). What am I missing?

Copper Contributor

Hello!  And Happy New Year!

Is there any refinement of the date in the "disable Basic Authentication for the EAS, EWS, POP, IMAP, and RPS protocols in the second half of 2021" statement?



@The_Exchange_Team we are planning to enable modern authentication and also enable Basic authentication and let us know if there will be any impact to this change. I believe until we enable conditional access enforced no impact to the users. Please clarify


Please let us know the new date for Basic authentication depreciation. 

Brass Contributor

As already anounced, Microsoft ins planning to disable BASIC Auth for EWS, IMAP, POP3, EAS, PowerShell in H2 2021.


Out Tenants have been created in mid of 2017.

Therefore no BASIC Auths for any protocols have been disabled yet.


When the Disable starts in H2 2021, will it utilizing the "Security Defaults"-Switch or the "Authentication Polices"?


Or is it another, general setting which cannot manymore be manipulated by the Tenant Admin.


I'm asking because I want to know if it's possible to use "Authentication Policies" to re-enable using Basic Auth (for example for IMAP Protocol) in one Tenant, even after it's official disablement.

Copper Contributor

Hello @The_Exchange_Team,


I'm also very interested in a more precise date range, please.


Is there any refinement of the date in the "disable Basic Authentication for the EAS, EWS, POP, IMAP, and RPS protocols in the second half of 2021" statement?

Thanks in advance.


@The_Exchange_Team  What will be the impact to the user if we enable both Modern and Basic ..whether users will notice any changes if they are using modern client


we want to understand the user behavior, based on the call with your team before they mentioned even you enable modern authentication there will be no impact until you enable conditional access policy to enforce the change. Please correct us if we are wrong



Copper Contributor
"We officially recommend having an Exchange Server on-premises to handle those applications or devices if they cannot submit emails directly to Exchange Online. Read more about it here:"How this should be performed? On the local server a receive connector is required that accepts the connection from printers and scanners then a send connector with TLS towards O365 that transfers them towards O365 like it's written in this article? 
Brass Contributor

awesome information 

Version history
Last update:
‎Sep 01 2022 08:12 AM
Updated by: