In about 150 days from today, we’re going to start to turn off Basic Auth for specific protocols in Exchange Online for those customers still using it.
Since we announced the October 1, 2022 deadline last year we’ve seen great progress from customers and partners as they move their clients and apps from basic to Modern Authentication. Since there are a lot of customers still using Basic Auth, we wanted to re-state the scope and implications of this change, and to answer some of the common questions we get.
As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing.
We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.
Timeline and Scope
As we communicated last year in blog posts and Message Center posts, we will start to turn off Basic Authentication in our worldwide multi-tenant service on October 1, 2022. To be clear, we will start on October 1; this is not the date we turn it off for everyone. We will randomly select tenants, send 7-day warning Message Center posts (and post Service Health Dashboard notices), then we will turn off Basic Auth in the tenant. We expect to complete this by the end of this year. You should therefore be ready by October 1.
We’re turning off Basic Auth for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell.
We are not turning off SMTP AUTH. We have turned off SMTP AUTH for millions of tenants not using it, but if SMTP AUTH is enabled in your tenant, it’s because we see usage and so we won’t touch it. We do recommend you disable it at the tenant level and re-enable it only for those user accounts that still need it.
Exceptions and Per-Tenant Timing
There is no way to request an exception after October. Tenant selection is random, and we cannot put your tenant to the back of the queue to give you more time or change your settings on any specific date. If you want Basic Auth to be disabled at a time of your choosing (either now, or as soon as you are ready), use Authentication Policies. More info on that below.
What should I do to prepare for this change?
Any client (user app, script, integration, etc.) using Basic Auth for one of the affected protocols will be unable to connect. The app will receive an HTTP 401 error: bad username or password.
Any app using Modern Auth for these same protocols will be unaffected.
Our documentation page lists some of the common apps and what can be done to switch them from basic to Modern Auth, but based on calls with customers of all sizes, here are some common themes:
- If you have Outlook for Windows, make sure it’s up to date, has the right registry keys in place and most importantly – that the tenant-wide switch to enable is set to True! Without that setting Outlook for Windows won’t use Modern Auth. So, turn it on. If clients are already logged in to another Microsoft 365 app, such as Teams, they are already authenticated and so it’s very likely they will not see any kind of auth prompt. We are turning this setting on for customers as we disable Basic Auth for MAPI/RPC in the tenant, but not before. We want to make sure Outlook can connect using Modern Auth once Basic Auth is disabled. Outlook doesn’t support OAuth with POP and IMAP – if you want to use POP and IMAP, with a client app, you’ll need another app.
- POP/IMAP – we have several customers using these protocols for application access. POP and IMAP both support OAuth for interactive applications, and we’re rolling out support for non-interactive flows now. If you are a developer you’ll know where to look, and if you do that right now you’ll find the IMAP.AccessAsApp and POP.AccessAsApp permissions. We’ll have some guidance on how to use them very soon, so watch out for that.
- EWS apps – we also have several customers with apps that use EWS and Basic Auth. EWS supports app-only access and you can use Application Access Policies to control what an app can access – if you have apps using EWS with Basic Auth, you need to either modify the code, or get the app owner to do so. Many partner apps have support for Modern Auth, you just need to modify your configuration or update to the latest versions. Do it now!
- ActiveSync – all the native apps on up-to-date clients support Modern Auth, but many users devices are still using Basic Auth. If you use an MDM/MAM solution, use it to deploy new profiles. Here’s how you can use Intune to set the auth mechanism for iPhone and iPad, for example. If you don’t have an MDM, simply remove and re-add the account from the device and it should automatically switch to Modern Auth.
- PowerShell scripts – If you have scripts you need to run, follow this guide to use Modern Auth in your scripts.
- Reporting Web Services – this supports OAuth now, and Basic Auth will be disabled starting October 1.
- Microsoft Teams Rooms – make sure they are using Modern Auth by following these steps.
How do you know you are still using Basic Auth? Azure AD sign-in events is the best place to look (filter by client app, then in the client app filter, check the boxes for the affected protocols under Legacy Authentication Clients). Check out this post for more info.
We also send monthly Message Center posts to tenants using Basic Auth, summarizing their usage. We’ve been doing this since October 2021. These are not as exact as Azure AD’s reports; they are meant as an indicator of usage, but if you get one, you should investigate what’s causing it.
Sometimes, we are asked if we can send the list of users still using Basic Auth. Unfortunately, we cannot send you a list, because that information is only available inside your tenant for privacy reasons. Of course, this information is available to admins in the Azure portal.
What’s the Best Way to Disable Basic Auth Once I’m Done?
The absolute best way to disable Basic Auth is to use Authentication Policies to block Basic Auth. As this article clearly states, if you want to block Basic Auth, use Auth Policies. Don’t use Set-CASMailbox or Conditional Access, as those are both post-authentication. They prevent access to the data, but they don’t stop authentication.
You might notice that that we’re not disabling Autodiscover at this time. That’s something we’ll do once the clients that depend on it are using Modern Auth, but it’s also something you can do for yourself with Authentication Policies.
What If I Still Need Help?
If you still need help, that’s where our amazing network of partners, MVPs, community, and Microsoft support engineers come in. There’s a huge amount of experience and knowledge to help you with this transition. So, ask questions, look for help, and most importantly – disable Basic Auth and get secure!