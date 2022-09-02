Microsoft announced that it is going to start to turn off basic auth for specific protocols in Exchange Online for customers who use them.

Moving the Exchange Online organization from Basic Authentication to the OAuth 2.0 token-based authentication provides better protection.

Microsoft announced its intent to deprecate Basic Authentication in 2019, to prevent data breaches and other security issues.

Microsoft is taking email security one step further by disabling Basic Authentication in Exchange Online for all tenants starting October 1. The tech giant announced its intent to deprecate Basic Authentication in 2019, allowing ExchangeOnline users to switch to Modern Authentication. Once again Microsoft pinpointed that using Basic Authentication causes a great risk of data breaches and disruption of emails, which are very common attack types among hackers.

OAuth 2.0 token-based authentication

Microsoft stated that moving the Exchange Online organization from Basic Authentication to the OAuth 2.0 token-based authentication, also known as Modern Authentication, providers better protection. It also enables organizations to use features like multifactor authentication to take email security one step further. Microsoft stated that it is especially beneficial for small to medium-sized businesses that don’t have dedicated security professionals.

Starting on the 1st of October, the Exchange team will start randomly selecting tenants and disable basic authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. The organizations will be notified with a message, which will be sent to the Message Center 7 days prior. The team will also post Service Health Dashboard notifications to each tenant on the day of the change. During the process, SMTP AUTH settings won’t be disabled or changed. The exchange team said,

« We recognize that unfortunately there are still many tenants unprepared for this change. Despite multiple blog posts, Message Center posts, interruptions of service, and coverage via tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers aware of the deadline who simply haven’t done the necessary work to avoid an outage. Our goal with this effort has only ever been to protect your data and accounts from the increasing number of attacks we see that are leveraging basic auth. However, we understand that email is a mission-critical service for many of our customers and turning off basic auth for many of them could potentially be very impactful. »

Once the basic auth is turned off, customers will be able to use the self-service diagnostic to re-enable basic auth for any protocols they need, once per protocol.