Deprecation is due to happen on October 13, 2020. The usual approach inside Office 365 is that the cut-off doesn’t happen immediately but can occur at any point without warning after the announced date. When the axe descends, clients running any of the listed protocols won’t be able to connect to Exchange Online using basic auth. Customers therefore have just over a year to prepare for the change.
Update: Microsoft has pushed the deprecation date out to mid-2021.
The Challenge of Mobile Clients
The biggest issue is likely to be with mobile clients. Microsoft licenses ActiveSync (EAS) to many mobile device vendors to enable connectivity from clients like the iOS mail app to Exchange. Microsoft argues that it’s time for customers to move to clients that support modern authentication and point to Outlook Mobile for iOS and Android as the logical choice for anyone with an Exchange Online mailbox. The big advantage of Outlook Mobile is that you get more features delivered for these clients, such as the recent support delivered for dark mode and shared mailboxes.
Although it’s true that Outlook Mobile has more than 100 million users, the facts remains that this number counts both consumer and commercial customers and there’s way more Exchange Online mailboxes in use. The last active number for Office 365 seats was 180 million (April) and that’s likely to be past 200 million now. Given the mobile nature of email, roughly 50% of the Exchange Online community might use a client today that depends on basic auth for EAS, IMAP4, or POP3.
I’m sure Microsoft has been in touch with its EAS licensees with an update for the new connectivity rules. It’s then up to licensees to update the mail apps for their devices to support modern authentication (Apple already has for iOS 11 onward). However, just because a mail app proclaims its support for modern authentication, software must still be checked out against Office 365 to make sure that everything works as expected across all client versions on all device families (some folks have run into problems with the iOS app).
Time to Go for IMAP4 and POP3
Microsoft says that they will update their POP3 and IMAP4 connections to support modern authentication soon. This will help, but tenants will still have to validate that any IMAP4 and POP3 clients still in use can connect,. including applications where IMAP4 or POP3 is used to send messages. I recommend that tenants take the opportunity to move users on from these now-ancient email protocols to something that’s more secure and functional, even if it means ripping Thunderbird and other clients out of user hands. They’ll be better for the experience.
Upgrading to a more functional email client is one thing; upgrading an application that uses IMAP4 to fetch messages from Exchange Online is another. Microsoft has committed to update the IMAP4 protocol for Exchange Online to support OAuth and say that they will make an announcement when this support is available. Upgrading an application will involve code changes, so now’s a good time to collect a roster of applications that will need to be updated. On the other side of the coin, the SMTP AUTH protocol used by many applications and devices to send messages is not being changed.
Of course, if you feel adventurous, you could upgrade apps to use the Microsoft Graph REST API instead of IMAP4. I suspect that this won’t happen as the work involved is likely to be more onerous (especially testing) than upgrading an IMAP4 connection to support modern authentication.
Remote PowerShell
Exchange has used Remote PowerShell since Exchange 2010 (more software to hit the ropes in October 2020) and people are very accustomed to making remote connections to work with mailboxes and other Exchange objects through PowerShell. The issues involved in Remote PowerShell for Exchange Online are not limited to basic auth, but at least MFA-enabled connections are available.
Discovering Basic Auth Connections
Microsoft says that they will deliver a tool to allow Office 365 tenant administrators to discover who’s using basic auth to connect to their mailboxes. No details of the tool are yet available.
A Good Change
Overall, getting rid of insecure basic auth connections is a very good idea. The only downside is the work that Office 365 tenants must do to identify what usage basic auth has inside their environment and then come up with plans to remove the dependency. At least there’s plenty of time to do the work.
For more information about Exchange Online, read the Office 365 for IT Pros eBook. Our earliest editions focused on Exchange Online, but we’ve got much broader coverage across Office 365 now.
5 Replies to “Basic Authentication Dead for Exchange Online Connections”
A use case that neither Microsoft’s announcement nor your article touches on much are applications using IMAP to access messages programmatically (e.g. tool that scrapes mailbox for invoices or expense report attachments). I don’t disagree that it’s “time to change” those, but I would have loved a little more notice. I’m fact, I know of one team that was moving a tool away from EWS and towards IMAP because of the announcement last July (I don’t agree with that decision, but the irony is painful). Now, people have a year either to push a vendor to change or implement a replacement product (or, I suppose, move a mailbox back on-premises).
TLDR; IMAP/POP is broader than “stop using Thunderbird.”
I know that IMAP and POP is more than using Thunderbird or one of the other popular clients… the use case you outline, which is a real one, is being dealt with by upgrading the protocols to support modern authentication. This will mean some work for the folks who use IMAP (mostly) to retrieve messages as they will have to upgrade their apps. It is also worth noting that Microsoft is not changing SMTP at this time, so outbound email is unaffected. The change here is to stop attacks on accounts like this often used by apps.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
A use case that neither Microsoft’s announcement nor your article touches on much are applications using IMAP to access messages programmatically (e.g. tool that scrapes mailbox for invoices or expense report attachments). I don’t disagree that it’s “time to change” those, but I would have loved a little more notice. I’m fact, I know of one team that was moving a tool away from EWS and towards IMAP because of the announcement last July (I don’t agree with that decision, but the irony is painful). Now, people have a year either to push a vendor to change or implement a replacement product (or, I suppose, move a mailbox back on-premises).
TLDR; IMAP/POP is broader than “stop using Thunderbird.”
I know that IMAP and POP is more than using Thunderbird or one of the other popular clients… the use case you outline, which is a real one, is being dealt with by upgrading the protocols to support modern authentication. This will mean some work for the folks who use IMAP (mostly) to retrieve messages as they will have to upgrade their apps. It is also worth noting that Microsoft is not changing SMTP at this time, so outbound email is unaffected. The change here is to stop attacks on accounts like this often used by apps.
If you are interested in a PowerShell way of finding out who is currently using Basic Authentication, please vote this up: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39818251-return-value-for-authenticationmethodsused-in-get