Starting on October 1, 2022, Microsoft is starting to disable an outdated way of logging into Exchange Online known as “basic authentication.” This outdated method is vulnerable to various forms of password attacks. The newer authentication standard is based on a standard called OAuth and the Microsoft implementation of this standard is called “modern authentication.”
Some customers might run into problems once the outdated log in method is disabled for their organization, such as not being able to sign into email.
When basic authentication is disabled for your organization, and various email clients are still using it, there are two things to know:
Let’s cover both of these.
Temporarily re-enable basic authentication for your organization
Update 1/1/2023: we are in the final stages of basic authentication deprecation in Exchange Online. Re-enablement of basic authentication or opting out of disablement by invoking the Microsoft 365 admin center Diag: Enable Basic Auth in EXO diagnostic is not possible anymore. Please update your clients to use modern authentication.
Stop using basic authentication permanently
Here are some client-specific tips for you, with links to learn more:
Note: If you are using Outlook for Windows with POP or IMAP protocol, that will stop working permanently when basic authentication is disabled end of this year. Outlook for Windows does not support modern authentication with Exchange Online using POP or IMAP and if you need to keep using those legacy protocols, you will have to use a different email client (for example, Thunderbird).
However, if you use some sort of mobile device management (MDM/MAM) solution, you should use it to deploy new profiles. Here’s how you can use Intune to set the auth mechanism for iPhone and iPad, for example. If you’re using Basic Mobility and Security take a look at this document for some more information on how to fix those devices.
There might also be some less common types of clients that stop working when basic auth is disabled; here is how to work with those:
Clients that we do not expect to have problems with starting October 1, 2022:
What about application passwords? Will that keep working?
If application passwords are being used for MFA (Multi Factor Authentication) along with basic auth as another auth mechanism, then when basic authentication is disabled, app passwords used for MFA will stop working too.
Where can I find more information?
There are several resources that we wanted to provide here as additional reading:
The Exchange Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.