After years of warnings, the day has finally arrived: Microsoft has started switching off Basic Auth for Exchange Online customers. The mechanism is now being deprecated for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell protocols, but not for SMTP Auth. The replacement that Microsoft is now recommending is Modern Authentication (OAuth 2.0), which is more secure.
Interestingly, Basic Auth will not be disabled simultaneously for all tenants. Instead, Microsoft will start doing it randomly on a tenant-by-tenant basis. And Microsoft's October 1 date for kicking off this process is actually a soft deadline, not a hard one.
This is because customers who are not ready for this configuration change (even though Microsoft has been cautioning about it for years) can re-enable Basic Auth through the self-service diagnostic tool. The authentication will then continue to work until the end of December and Microsoft will then permanently disable it in the first week of January next year. That said, it is obviously recommended that you move away from Basic Auth as quickly as possible.
Other companies and apps which previously used Basic Auth to communicate with Exchange Online have recently been making changes to switch to OAuth 2.0 too.
Google published an advisory saying that customers who are using Calendar Interop to sync meetings between Google Calendar and Exchange Online should move to Modern Authentication. Apple has also been collaborating with Microsoft to handle the transition of legacy Exchange Online accounts from Basic Auth to Modern Auth more smoothly.
That said, if you're an IT admin who is hellbent on using Basic Auth, you should check out Microsoft's guidance here.
3 Comments - Add comment