Microsoft will disable Basic authentication

Microsoft will disable Basic authentication for Exchange Online in less than a month

Microsoft has posted a reminder on the Exchange Team blog that Basic authentication for Exchange Online will be disabled in less than a month, on October 1, 2022.

The first announcement of the change stems from September 20, 2019. With so much warning you might expect organizations to be ready, and many are. But there has been an entire pandemic since then, and no shortage of other things for Exchange users to worry about. So, as always, some aren’t ready.

Goodbye “Basic”, hello “Modern”

For many years, client apps have used Basic authentication to connect to servers, services and endpoints. It is enabled by default on most servers and services and it’s easy to set up. Basic authentication sends a username and a password with every request and does not require TLS. This can leave credentials being sent back and forth over the wire in plain text, making them easy to intercept. To make matters worse, according to Microsoft, using Basic authentication means “the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible”—an absolute no-no for 2022.

Microsoft wants its customers to switch to Modern authentication (OAuth 2.0 token-based authorization). Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client, like a laptop or a phone, and a server. It enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party Security Assertion Markup Language (SAML) identity providers.

The schedule

The change will be implemented for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. SMTP AUTH remains as is. For those using Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, this service will continue to have Basic authentication enabled until December 31 2022.

To spread the workload, starting October 1, Microsoft will start to randomly select tenants and disable Basic authentication for the affected protocols. Users will receive a message seven days before, and receive Service Health Dashboard notifications to each tenant on the day of the change.

To avoid the pitfall of thinking your organization is ready, while you are not, there is a Basic authentication self-help diagnostic to be found in the Microsoft 365 admin center. Click the small green “?” symbol in the lower right hand corner of the screen and enter the phrase “Diag: Enable Basic Auth in EXO”. (Alternatively, the Microsoft blog article has button that will launch the diagnostics in Admin center for you.)

Escape and delay

If you are not ready for this change then Microsoft is offering customers the option to opt specific protocols out of the Basic authentication disablement temporarily. Be warned though, by January 2023 Basic authentication will be off for all protocols, no matter whether you opted out or not.

It is also worth considering that no matter how inconvenient this change might be, it is being done for very good security reasons, so we would advise you to switch to Modern authentication as soon as possible. We have reported about many phishing campaigns that are after your Microsoft login credentials and many other schemes to steal them. Basic authentication is simply no longer safe enough for such an important part of your businesses.

Are you ready? Let us know in the comments if anything is holding you back or whether you’ve been ready for years.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.