Menu

About disabling Basic Auth in Exchange Online

Microsoft's Exchange team announced in September last year that on October 1, 2022, Microsoft was going to permanently deactivate Basic Auth for all tenants still using it and that, after deactivation, they would switch to Modern Auth (a more secure authentication method). It is important to remember this since there are less than two months left and using Basic Auth during the deactivation could result in an HTTP 401 error: bad username or password in production environments.

In this post, I tell you more about it:

What does this deactivation consist of?

Starting October 1, 2022, Microsoft will begin to disable Basic Auth progressively on a random basis for all tenants still using it and the change is expected to be implemented for everyone by the end of the year. Each selected tenant will be notified of the change by an alert within the previous 7 days via Message Center and Service Health Dashboard. The procedure is detailed in the following post from the Exchange team.

Basic Auth will be disabled for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS) and Remote PowerShell.

What are the consequences?

According to the Exchange team, if you are using a user app, script, integration, etc, that is using Basic Auth for any of the affected protocols, you will not be able to connect to it. Consequently, the app will display a client-side HTTP 401 error: bad username or password.

Apps using Modern Auth for the same protocols will not be affected, so it is essential to anticipate the deactivation period to prevent our apps (scripts, integrations, etc.) to stop providing service affecting production.

Why will Basic Auth cease to exist?

Basic Auth is one of the most common (or the most common) ways in which customer account compromises occur and these types of attacks are on the rise, according to the Exchange team.

Basic authentication is used for protocols such as POP, SMTP, IMAP, and MAPI where MFA (Multi-factor authentication) could not be configured and this causes them to be exploited by cyber attackers as a way into the organization. In other words, multi-factor authentication (MFA) would not be available in basic authentication and this means that, if credentials have been compromised, there would not be an extra layer of security to prevent unauthorized access to systems (MFA serves this purpose, it adds more access controls).

How to make the change?

A plan should be created to migrate applications and users that are using Basic Auth to Modern Auth following the documentation 'Deprecation of Basic authentication in Exchange Online | Microsoft Docs' and the Exchange team's post: 'Basic Authentication Deprecation in Exchange Online - May 2022 Update - Microsoft Tech Community'.

Access the following link for more information on how to disable Basic Auth in Outlook, Exchange Web Services (EWS), Remote PowerShell, POP and IMAP and Exchange ActiveSync (EAS).