Basic Authentication in Exchange Online (Updated)

Microsoft had postponed the blocking of basic authentication in Exchange Online due to the Global Pandemic we find ourselves in. The work was originally delayed until October 2020 and was then delayed further, but they have now adapted their approach. Instead of blocking basic authentication for all of Exchange Online, they will target any protocols that you have not used. As a refresher, the following protocols are being targeted for this change:

  • POP
  • IMAP
  • Remote PowerShell
  • MAPI
  • RPC
  • Offline Address Book (OAB)

If you have used (or are using) any of these protocols within your tenant, they will not be blocked. But the others will. You will received messages within the Message Centre advising of any protocols that will be blocked and Microsoft are giving 30 days notice. If you find a protocol will be blocked that you are using you can respond to Microsoft.

The advice is still to remove all use of the above protocols when accessing Exchange Online as soon as possible. It poses a security risk in Exchange Online as you cannot protect access to the service with Conditional Access when using these protocols.

Microsoft are planning on beginning this process in the second half of 2021 but not exact date has been given yet. The latest update from Microsoft can be found here.

If you need help removing basic authentication from being used in your tenant, please reach out so we can help!

About the author