Basic Authentication is still used by many companies for Exchange Online. The login process is based on usernames and passwords, which can be vulnerable to brute force attacks, password spray attacks, etc. The longer you continue to use Basic Authentication, the greater the risk of an attack.
Microsoft's next move?
Microsoft will disable Basic Authentication in its global multi-tenant service as of October 1, 2022. Each tenant is processed in random order. An alert and a note will appear on the Service Health Dashboard seven days prior to the change.
When basic authentication is turned off for one of the affected protocols, users will not be able to connect. An HTTP 401 error message will appear with a bad username or password error. That’s not something you want users to see.
What should I do?
A user who is already signed in to another Microsoft 365 app, such as Teams, will likely not see any authentication prompts since they are already verified. In the tenant, Microsoft disables Basic Authentication for MAPI/RPC, so it enables this setting for customers.
As soon as Basic Authentication is disabled, Microsoft wants Outlook to be able to connect to Modern Authentication. However, Outlook does not support OAuth with POP3 or IMAP. If you want to use POP and IMAP with a client app, you will need another app.
- Outlook: Verify that Outlook for Windows is up to date, has the correct registry keys, and, most importantly, that the Enable switch is set to True for the entire tenant. Without that setting, Outlook does not use Modern Authentication.
- POP/IMAP: Both POP and IMAP support OAuth for interactive applications, and Microsoft is rolling out support for non-interactive flows.
- EWS apps: EWS only supports app access, and you can control what an app can access with Application Access Policies. The code for apps that use EWS with Basic Authentication must be changed. The latest version of many partner apps supports Modern Authentication; you just need to adjust your configuration. Do that as soon as possible!
- Exchange ActiveSync: All native apps on up-to-date devices support Modern Authentication, but many users use the Basic Authentication method. If you’re using an MDM/MAM solution, use it to deploy new profiles. Delete the account and add it again from the device if you don’t have MDM/MAM, and it will automatically transition to Modern Authentication.
- Reporting Web Services: Support for OAuth has already been rolled out (completed at the end of May). Basic Authentication will be disabled as of October 1.