Blog Post

Exchange Team Blog
5 MIN READ

Basic Authentication Deprecation in Exchange Online – September 2022 Update

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Sep 01, 2022
One month from today, we’re going to start to turn off basic auth for specific protocols in Exchange Online for customers who use them. Since our first announcement nearly three years ago, we’ve se...
Updated Jan 01, 2023
Version 16.0
announcements
exchange online
security
LoopEndle's avatar
LoopEndle
Copper Contributor
Sep 07, 2022

Thanks starkjc  -
     I have an onpremise exchange server where I host mailboxes that require imap or pop. ... 
     We are sourced in onpremise ad in a coexistence state with exchange online. 
That's a great option. I figured this was possible, but wasn't sure... I'll pass on your comment to our Windows administrators. I also found across this open source code: https://github.com/simonrob/email-oauth2-proxy - this may be another option. It adds a OAuth2 proxy service to lets code that only supports IMAP to still talk to Office 365 emails. Here's one of the use cases it addresses: 
Example use-cases

You need to use an Office 365 email account, but don't get on with Outlook. The email client you like doesn't support OAuth 2.0, which will be mandatory from October 2021.

 

 

[email address removed for privacy reasons]
permission_url = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/common/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access
redirect_uri = http://localhost
client_id = *** your client id here ***
client_secret = *** your client secret here ***

 

 


Thanks Nino_Bilic  - I appreciate the additional clarity and your offer to look into our old ticket...

Thanks for providing support ticket number; I'll look it up shortly and reach out to support engineer to make sure there are no more misunderstandings.

 

Can MS reach out to me (or my organisation) to let us know the outcome of your review?

No dispute that mandatory OAuth helps your userbase (i.e. I read it's important for MFA). But in cases like ours (machine-to-machine, IMAP over TLS 1.2, no MFA) the new requirement seems pure hindrance with no security added. For such cases, can MS not provide an option to extend IMAP Basic authentication? It gives us breathign room to plan the refresh our middleware without having to put in workarounds like OAuth proxies or on-prem Exchange servers?