Starting on October 1, 2022, Microsoft is starting to disable an outdated way of logging into Exchange Online known as “basic authentication.” This outdated method is vulnerable to various forms of password attacks. The newer authentication standard is based on a standard called OAuth and the Microsoft implementation of this standard is called “modern authentication.”
Some customers might run into problems once the outdated log in method is disabled for their organization, such as not being able to sign into email.
When basic authentication is disabled for your organization, and various email clients are still using it, there are two things to know:
How to temporarily re-enable basic authentication for your organization (which solves the immediate problem of not being able to sign in) (With the end of calendar year 2022, this has now been removed)
- How to stop using basic authentication permanently (because temporary re-enablement ends on December 31, 2022). Unless you address this, your users will not be able to sign into Exchange Online starting January 2023 when we permanently disable basic authentication.
Let’s cover both of these.
Temporarily re-enable basic authentication for your organization
Update 1/1/2023: we are in the final stages of basic authentication deprecation in Exchange Online. Re-enablement of basic authentication or opting out of disablement by invoking the Microsoft 365 admin center Diag: Enable Basic Auth in EXO diagnostic is not possible anymore. Please update your clients to use modern authentication.
Stop using basic authentication permanently
Here are some client-specific tips for you, with links to learn more:
- Outlook for Windows: The first thing to do is to make sure Outlook is up to date and that the organization-wide switch to enable modern authentication is set to True. Without that setting, Outlook for Windows won’t use modern auth. So, make sure it’s turned on. We are turning on the organization setting for customers as we disable basic auth for MAPI/RPC protocols, so this should be enabled already, but it’s worth checking. If things are still not working, check that Outlook has the right registry keys in place.
Note: If you are using Outlook for Windows with POP or IMAP protocol, that will stop working permanently when basic authentication is disabled end of this year. Outlook for Windows does not support modern authentication with Exchange Online using POP or IMAP and if you need to keep using those legacy protocols, you will have to use a different email client (for example, Thunderbird).
- Outlook for Mac: if your Outlook for Mac clients insist to keep using basic auth, please see our recent blog post on this subject.
- Exchange ActiveSync: this refers to a protocol used by various native email and calendar apps, such as the Mail app on iOS. All mainstream apps on up-to-date mobile clients support modern auth, but many user devices might still be using basic auth. Removing and re-adding the account from the device should automatically switch it to modern auth.
However, if you use some sort of mobile device management (MDM/MAM) solution, you should use it to deploy new profiles. Here’s how you can use Intune to set the auth mechanism for iPhone and iPad, for example. If you’re using Basic Mobility and Security take a look at this document for some more information on how to fix those devices.
There might also be some less common types of clients that stop working when basic auth is disabled; here is how to work with those:
- POP/IMAP applications: some of our customers use these protocols for application access. Please see this blog post for how to address both interactive and non-interactive apps.
- Exchange Web Service (EWS) applications: EWS supports app-only access and you can use Application Access Policies to control what an app can access. If you have apps using EWS with basic auth, you must either modify the code, or get the app developer to do so. Many partner apps have support for modern auth, they just need to modify their configuration or update to the latest versions.
- PowerShell scripts: If you have scripts, follow this guide to use modern auth within scripts.
Clients that we do not expect to have problems with starting October 1, 2022:
- Outlook for iOS and Android – this client does not use basic authentication when connecting directly to Exchange Online mailboxes.
- Outlook on the web – authenticating with Outlook on the web through your web browser always uses modern authentication if the mailbox is in Exchange Online.
What about application passwords? Will that keep working?
If application passwords are being used for MFA (Multi Factor Authentication) along with basic auth as another auth mechanism, then when basic authentication is disabled, app passwords used for MFA will stop working too.
Where can I find more information?
There are several resources that we wanted to provide here as additional reading:
The Exchange Team