Basic Authentication for All Exchange Online Tenants Stops in October 2022

Posted on by Tony Redmond

End of Longstanding Campaign to Eradicate Basic Authentication to Increase Security of Exchange Online

Updated November 12

On September 12, I received message center notifications MC284549 and MC284559, both of which informed me that Microsoft had disabled basic authentication for POP3, IMAP4, Remote PowerShell, Exchange Web Services (EWS), the Offline Address Book (OAB), Exchange ActiveSync (EAS), SMTP AUTH, and MAPI (Figure 1). I can report that nothing untoward has happened since. Everything kept working and the world continued spinning.

Tenant notice that Microsoft has disabled basic authentication for Exchange Online
Figure 1: Tenant notice that Microsoft has disabled basic authentication for Exchange Online

To confirm that basic authentication is blocked for the target protocols, run the Get-OrganizationConfig cmdlet and examine the BasicAuthBlockedApps property. In my case, the value returned is 255:

Get-OrganizationConfig | Select BasicAuthBlockedApps 

BasicAuthBlockedApps
--------------------
255

255 means that basic authentication is blocked for all protocols. This is a bitmask composed of values for each protocol. Zero (0) means that basic authentication is not blocked for any protocols. The other values are:

  • Exchange ActiveSync (EAS): 1
  • Exchange Web Services (EWS): 2
  • POP3: 4
  • IMAP4: 8
  • Remote PowerShell: 16
  • MAPI over RPC (Outlook Anywhere): 32
  • Offline Address Book (OAB): 64
  • RPC: 128

The disabling of basic authentication for multiple connection protocols was not unexpected. Microsoft flagged that this might happen in their June 2021 update on their long-running and much-delayed campaign to eradicate basic authentication from Exchange Online. My only complaint is that I didn’t receive the promised heads-up message center notification 30 days in advance of Microsoft disabling the protocols. Maybe that’s why I received two posts when disablement happened (to be fair to Microsoft, I might have overlooked the up-front message, which then expired and disappeared from view). In any case, things proceeded smoothly and Exchange Online continues to operate smoothly in my tenant without basic authentication.

As the countdown continues towards deprecation day, Microsoft plans to issue monthly informational posts in the Microsoft 365 admin center to tell tenants still using basic authentication what level of usage exists in their environment. Here’s an example of the kind of information you can expect to see:

Based on our telemetry, there may be some users in your tenant currently using Basic Authentication and we expect these users to be affected when these changes take place. 

In the month of October, we detected the following usage: 

  • Exchange ActiveSync: 11 
  • POP: 1 
  • IMAP: 0 
  • Outlook Windows: 13 
  • Outlook for Mac/Exchange Web Services: 0 
  • Exchange Remote PowerShell: 0 

Please note these numbers only reflect the count of unique users who have successfully authenticated to these services in the sepcified month, they do not reflect successful access to mailboxes or data (for example, a user may authenticate using IMAP, but may be denied access to the mailbox due to configuration or policy). 

October 1, 2022 is a Big Day for Exchange Online

However, things are about to get a lot more interesting for many other organizations with Microsoft’s decision that “effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage.” In other words, in a year’s time, basic authentication for Exchange Online goes away even if an organization wants to keep it in place for some reason. This is a very big change.

The logic driving the decision is that removing basic authentication increases security for the overall Exchange Online service and its tenants and stops attackers seeking to compromise individual user accounts. This development might be painful for some, but overall it is a good thing.

Update 27 September : To smoothen progress towards the removal of basic authentication, Microsoft is making an exception for SMTP AUTH. Read the details here.

Update November 12: Microsoft has issued a useful summary of the actions they are taking to remove basic authentication from Exchange Online.

Early 2022 Test Disablements

Microsoft says that in early 2022, they will pick tenants (using some unpublished criteria) and disable basic authentication for all the chosen protocols except SMTP AUTH for a period of between 12 and 48 hours. SMTP AUTH is excluded because it might affect important operational aspects like multi-functional devices or PowerShell scripts sending updates about a job’s progress. When the period expires, Microsoft will enable basic authentication automatically.

While you might argue that it’s wrong for Microsoft to arbitrarily disable connection protocols for selected tenants, it’s certainly an excellent way of proving to an organization that they either don’t need basic authentication to function or where the pain points are which need to be solved before October 2022. If the pain caused by the disabled protocols becomes too much, tenant administrators can re-enable basic authentication using the self-service capability built into the Microsoft 365 admin center (Figure 2).

The option to reenable basic authentication for Exchange Online in the Microsoft 365 Admin Center
Figure 2: The option to reenable basic authentication for Exchange Online in the Microsoft 365 Admin Center

No Exceptions This Time Round

It’s easy to conclude from this news that Microsoft is very serious about eradicating basic authentication. The delays in previous schedules caused by the Covid-19 pandemic and the desire to give organizations more time to prepare have passed. Tenants have a year to get ready, even if they don’t want to. Microsoft says that they will not provide exceptions, noting “We are not providing the ability to use Basic Auth after October 2022. You should ensure your dependency on Basic Auth in Exchange Online has been removed by that time.”

In other words, if you want to use basic authentication with Exchange after October 2022, you need to move some processing on-premises.

Interestingly, the June 2021 update for the retirement of basic authentication in Exchange Online has only accumulated 36K views. This tells me that a bunch of tenant administrators are not keeping themselves informed about what’s going on here. Those people will be unhappy if their tenant is selected for protocol disablement for a period in early 2022 and even less impressed when the hammer descends in October 2022.

Time to Start the Transition

Twelve months isn’t a long time to prepare for major IT changes. Time has a habit of slipping away unnoticed. In this case, it’s important to start preparatory work (if not already done) to decide what will happen in terms of application and device access to Exchange Online, replacement of old user clients that don’t support modern authentication and upgrading code to use the Microsoft Graph APIs.

It’s interesting that Microsoft calls out the use of application access policies in its announcement. These policies allow granular access to mailboxes by apps using Graph APIs, so they’re important components when you transition code from older APIs to the Graph (or even for PowerShell scripts which send email via the Graph). Microsoft has increased the number of application access policies per tenant from 100 to 300 with plans to go to 10,000 or more. That should be enough for any organization to move forward.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.

15 Replies to “Basic Authentication for All Exchange Online Tenants Stops in October 2022”

  1. Pingback: Basic Authentication for All Exchange Online Tenants Stops in October 2022 – Office 365 for IT Pros – More Stuff 2 Read [Quite Sparsely]
  2. Pingback: Basic Authentication for All Exchange Online Tenants Stops in October 2022 – blog by @12Knocksinna – 365forall
  3. Pingback: SMTP AUTH Exception Smoothens Path to Removal of Basic Auth in Exchange Online - Office 365 for IT Pros
  4. Pingback: SMTP AUTH Exception Smoothens Path to Removal of Basic Auth in Exchange Online – Office 365 for IT Pros – More Stuff 2 Read [Quite Sparsely]
  5. Pingback: Why a Supposed Autodiscover Flaw is Just the Tip of an Iceberg
  6. Pingback: October 2021 Update Available for Office 365 for IT Pros (2022 Edition) - Office 365 for IT Pros
  7. Pingback: API Deprecations Signal the Demise of Exchange Web Services - Office 365 for IT Pros
  8. Pingback: Old Apple Email Clients Using Exchange ActiveSync Need to be Upgraded for Modern Authentication - Office 365 for IT Pros
  9. Pingback: How Exchange Online Uses Mailbox Plans to Populate Mailbox Settings - Office 365 for IT Pros
  10. Pingback: Microsoft Ignite 2021 is Next Week. Here’s What I Anticipate
  11. Pingback: Some Microsoft 365 Features Covered at Fall Ignite 2021 You Can Use Now - Office 365 for IT Pros
  12. Pingback: Improve MFA Effectiveness in Your Microsoft 365 Tenant in 30 Minutes
  13. Pingback: Five Issues for Microsoft 365 Tenant Administrators to Focus on in 2022
  14. Pingback: Why Using App Secrets in Production is a Bad Idea

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.