Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
In about 150 days from today, we’re going to start to turn off Basic Auth for specific protocols in Exchange Online for those customers still using it.
Since we announced the October 1, 2022 deadline last year we’ve seen great progress from customers and partners as they move their clients and apps from basic to Modern Authentication. Since there are a lot of customers still using Basic Auth, we wanted to re-state the scope and implications of this change, and to answer some of the common questions we get.
As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing.
We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.
Timeline and Scope
As we communicated last year in blog posts and Message Center posts, we will start to turn off Basic Authentication in our worldwide multi-tenant service on October 1, 2022. To be clear, we will start on October 1; this is not the date we turn it off for everyone. We will randomly select tenants, send 7-day warning Message Center posts (and post Service Health Dashboard notices), then we will turn off Basic Auth in the tenant. We expect to complete this by the end of this year. You should therefore be ready by October 1.
We’re turning off Basic Auth for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.
We are not turning off SMTP AUTH. We have turned off SMTP AUTH for millions of tenants not using it, but if SMTP AUTH is enabled in your tenant, it’s because we see usage and so we won’t touch it. We do recommend you disable it at the tenant level and re-enable it only for those user accounts that still need it.
Exceptions and Per-Tenant Timing
There is no way to request an exception after October. Tenant selection is random, and we cannot put your tenant to the back of the queue to give you more time or change your settings on any specific date. If you want Basic Auth to be disabled at a time of your choosing (either now, or as soon as you are ready), use Authentication Policies. More info on that below.
What should I do to prepare for this change?
Any client (user app, script, integration, etc.) using Basic Auth for one of the affected protocols will be unable to connect. The app will receive an HTTP 401 error: bad username or password.
Any app using Modern Auth for these same protocols will be unaffected.
Our documentation page lists some of the common apps and what can be done to switch them from basic to Modern Auth, but based on calls with customers of all sizes, here are some common themes:
How do you know you are still using Basic Auth? Azure AD sign-in events is the best place to look (filter by client app, then in the client app filter, check the boxes for the affected protocols under Legacy Authentication Clients). Check out this post for more info.
We also send monthly Message Center posts to tenants using Basic Auth, summarizing their usage. We’ve been doing this since October 2021. These are not as exact as Azure AD’s reports; they are meant as an indicator of usage, but if you get one, you should investigate what’s causing it.
Sometimes, we are asked if we can send the list of users still using Basic Auth. Unfortunately, we cannot send you a list, because that information is only available inside your tenant for privacy reasons. Of course, this information is available to admins in the Azure portal.
What’s the Best Way to Disable Basic Auth Once I’m Done?
The absolute best way to disable Basic Auth is to use Authentication Policies to block Basic Auth. As this article clearly states, if you want to block Basic Auth, use Auth Policies. Don’t use Set-CASMailbox or Conditional Access, as those are both post-authentication. They prevent access to the data, but they don’t stop authentication.
You might notice that that we’re not disabling Autodiscover at this time. That’s something we’ll do once the clients that depend on it are using Modern Auth, but it’s also something you can do for yourself with Authentication Policies.
What If I Still Need Help?
If you still need help, that’s where our amazing network of partners, MVPs, community, and Microsoft support engineers come in. There’s a huge amount of experience and knowledge to help you with this transition. So, ask questions, look for help, and most importantly – disable Basic Auth and get secure!
The Exchange Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.