Microsoft 365: Deprecating Basic Authentication in Exchange Online

If you are administering Microsoft 365 and Exchange Online for your organization, you may remember that Microsoft announced in September 2021 that they are deprecating support for Basic authentication for several components of Exchange Online, including Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac. Basic authentication has several security problems including a lack of strong native encryption, the requirement to resend username and password for every request, local storage of credentials, and difficulties when trying to implement multi-factor authentication.

In 2021, Microsoft began proactively disabling Basic authentication for some existing clients that reported no usage of Basic authentication, and new Microsoft 365 tenants automatically had that functionality disabled since Microsoft’s Security Defaults were applied during tenant creation. On October 1, 2022, Microsoft will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. If unused, Microsoft will also disable SMTP AUTH.

So, what does this mean? Well, if your organization is still using Basic authentication to communicate with Exchange Online services, that may stop working on October 1. Some examples of devices and services that may interact with Exchange Online using Basic authentication include:

Hopefully, you are already ahead of the curve on this – if not, there is still time to address this. Talk to your IT and InfoSec teams about those older devices and services still out there in production. Review your Microsoft 365 / Exchange Online connection logs for any Basic authentication traffic that is still going on. Tip: Look in your Azure AD Sign-in Logs, filter on “Client app,” and select all of the “Legacy Authentication Clients” options. Authentication events listed with that filtering may give you devices and services to check on more deeply.

Check out this article from Microsoft for more information and details:https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

Authored by: David Bentley, CISSP