Exchange Online Basic Authentication is Disabled

photo of author
Written By Cengiz YILMAZ

Microsoft MVP

Microsoft on May 3, starting October 2022 Exchange Onlinee has also announced that it will be phasing out Basic Authentication. This decision was made due to the security risks posed by Basic Authentication. Attackers can bypass this weak firewall and access user accounts, and this situation can be made worse by attack techniques such as password spray.

Important Information for Closing Exchange Online Basic Authentication

  1. Wide Application: Microsoft has already disabled the feature for millions of tenants who do not use basic authentication.
  2. Affected Protocols: As of October 1, 2022, Exchange Web Services (EWS)Basic authentication will be disabled for protocols such as Remote PowerShell, POP3, IMAP4, MAPI over RPC, Exchange ActiveSync, and Offline Address Book (OAB). Microsoft will work to implement this change across all Office 365 data centers, and the process is expected to be completed by the end of the year.
  3. SMTP AUTH Exception: SMTP AUTH is the only protocol that will continue to support basic authentication for now. However, it is unclear how long this will last and users should start modernizing these connections as soon as possible.
  4. Modern Authentication and Device Management: Apple devices with modern operating systems can connect to Exchange Online mailboxes using Exchange ActiveSync and modern authentication. However, transferring settings from an old device to a new device may retain basic authentication settings, and these devices may not be able to connect after Microsoft disables this method.
  5. Authentication Policies and Security Measures: Authentication policies can now be used to block basic authentication. This allows for proactive blocking of insecure protocols, such as POP3 and IMAP4, which are particularly common among attackers.

Conclusion

As a tenant administrator, you can take steps such as applying Azure AD conditional access policies or disabling specific protocols via the Set-CasMailbox cmdlet. However, these measures only come into play after the account has been successfully authenticated. Blocking protocols with authentication policies prevents attackers from initially completing authentication and gaining access to valid credentials in the process.

One comment on “Exchange Online Basic Authentication Shutting Down”

Comment