Deprecation of Basic Authentication in Exchange Online

Author: Helen Neudorf Time: 03.10.2022

In August, Microsoft announced that, beginning October 1, 2022, they will begin to permanently disable Basic Authentication in all tenants, regardless of usage, except for SMTP Auth. Basic authentication in Exchange Online uses a username and a password for client access requests. Blocking Basic authentication can help protect your Exchange Online organization from brute force or password spray attacks.  

Starting October 1st, Microsoft will start to randomly select tenants and disable basic authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. Microsoft will post a message to the Message Center 7 days prior, and they will post Service Health Dashboard notifications to each tenant on the day of the change. 


Microsoft will not be disabling or changing any settings for SMTP AUTH. As many multifunction devices like printers and scanners can’t use modern authentication, they will remain an exception, unless your organization hasn’t previously used this option consistently or at all.  
If you have removed your dependency on basic auth, this will not affect your tenant or users. If you have not (or are not sure), check the Message Center for the latest data contained in the monthly usage reports Microsoft has been sending monthly since October 2021.  

One-time re-enablement 

On September 1, Microsoft announced an update to their plan to offer customers who are unaware of or are not ready for this change. 
When Basic Authentication will be turned off after October 1, all customers will be able to use the self-service diagnostic to re-enable Basic Authentication for any protocols they need, once per protocol. After this diagnostic is run, Basic Authentication will be re-enabled for those protocols. Selected protocols will stay enabled for Basic Authentication use until end of December 2022. During the first week of calendar year 2023, those protocols will be disabled for Basic Authentication use permanently, and there will be no possibility of using Basic Authentication after that. 
If you need additional information on running the diagnostics, Microsoft have put together a thorough guide here
Source: Microsoft