For the last year and half Microsoft have been disabling Basic Authentication. Basic Authentication user credentials are not protected by TLS and cannot be used with technologies such as multifactor authentication (MFA).
We saw this recommended in Secure Score and the ability to block legacy authentication in Conditional access policies:
Microsoft automatically turn off Basic Authentication if the tenant is using Security defaults in Azure AD.
So when is the change coming into effect?
From 1st October 2022 Basic authentication will be disabled for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online.
SMTP Auth will also be disabled but only if it is not being used.
What can be done to limit impact?
Use Azure AD Sign reports to view connections with Basic Auth
Upgrade any end user mail clients to modern authentication aware client apps such as:
Email Client: Outlook (within Microsoft 365 Apps for enterprise)
Active Sync: Outlook for iOS and Android
Calendar sharing/editing by a 3rd party tool (EWS): Confirm it supports modern authentication. Although Microsoft have plans to eventually deprecate EWS.
If you are an administrator for your Exchange Online environment make sure you have upgraded your EXO PowerShell modules to “Exchange Online V2 PowerShell module”.
If you need help transitioning your EXO services before Microsoft remove basic authentication from being used in your tenant, please reach out so we can help!
