On September 1, the Microsoft Exchange Team announced they will be disabling Basic Authentication on October 1st, 2022. This affects users who are connecting to Microsoft 365 and Exchange Online with Outlook 2013, an older Voicemail system, or use Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.
Why Should You Care?
If you have users or applications connecting to the Microsoft 365 environment, they will stop working at the end of September - unless you ask Microsoft to delay until December 2022 so you can fix and upgrade your legacy applications to modern applications.
What is Basic Authentication?
Basic authentication simply means the application sends a username and password with every request. Basic Authentication is enabled by default on most servers or services, is simple to use for users, for administrators, and especially for hackers!
Now What?
At Vista IT Group, we have already helped our customers by reporting on their Basic Authentication issues and are actively collaborating with them to mitigate this issue. We highly recommend that you investigate this issue. Below are some helpful guides to help you get started, but as always, please reach out if we can help in any way!
- How Do You Know If Basic Authentication is Being Used in Your Environment?
- What To Do If You Find Applications Using Basic Authentication
- Diagram of the Changes
- Further Reading
How Do You Know If Basic Authentication is Being Used in Your Environment?
To find out if you have applications that are using Basic Authentication, connect to your Microsoft 365 environment, and go to Azure Active Directory Admin Center | Users | Sign-in Logs | Date: Last 7 days | Add filters as shown:
Select Client App
Select All Legacy Authentication Clients
Review the results to determine if any of the Legacy Authentication Clients are connecting to Microsoft 365.
NOTE: The Exchange Teams states that: “We are not making any change to Authenticated SMTP starting on October 1st. If it works today, it will keep working from October 1st, until the day when SMTP Auth support for basic auth goes away (which has not been announced).”
What To Do If You Find Applications Using Basic Authentication.
Through September 2022, you can opt out of this change, and it will extend your Basic Authentication use until the end of December 2022.
To opt out, go to the Microsoft 365 Admin Center, click on the green Help and Support button, and type Diag: Enable Basic Auth in EXO as shown:
Diagram of the Changes
If you’re a visual learner, perhaps the diagram below from Microsoft will help clarify the pending changes.
