Sept 1, 2022

Microsoft 365: Deprecating Basic Authentication in Exchange Online

If you are administering Microsoft 365 and Exchange Online for your organization, you may remember that Microsoft announced in September 2021 that they are deprecating support for Basic authentication for several components of Exchange Online, including Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac. Basic authentication has several security problems including a lack of strong native encryption, the requirement to resend username and password for every request, local storage of credentials, and difficulties when trying to implement multi-factor authentication.

In 2021, Microsoft began proactively disabling Basic authentication for some existing clients that reported no usage of Basic authentication, and new Microsoft 365 tenants automatically had that functionality disabled since Microsoft’s Security Defaults were applied during tenant creation. On October 1, 2022, Microsoft will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. If unused, Microsoft will also disable SMTP AUTH.

So, what does this mean? Well, if your organization is still using Basic authentication to communicate with Exchange Online services, that may stop working on October 1. Some examples of devices and services that may interact with Exchange Online using Basic authentication include:

  • Legacy multi-function devices that scan documents to email
  • Phone systems that send voicemails to email
  • Server or network monitoring systems that send alerts to email
  • And many other possibilities

  • Hopefully, you are already ahead of the curve on this – if not, there is still time to address this. Talk to your IT and InfoSec teams about those older devices and services still out there in production. Review your Microsoft 365 / Exchange Online connection logs for any Basic authentication traffic that is still going on. Tip: Look in your Azure AD Sign-in Logs, filter on “Client app,” and select all of the “Legacy Authentication Clients” options. Authentication events listed with that filtering may give you devices and services to check on more deeply.

    Check out this article from Microsoft for more information and details:https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

    Authored by: David Bentley, CISSP

    You May Want to Read More:

    The Scope of SARs - Something Old and Something New - WST

    January 28th, 2021

    Did you know that filing Suspicious Activity Reports...

    In with the new year, out with the Flash - WST

    January 21st, 2021

    The writing has been on the wall for a while now ...

    Back to Basics: Understanding Risk Concepts - WST

    January 15th, 2021

    People often make judgements and decisions about risk...

    Keep your institution off the evening news.


    Contact Us