Almost three years ago, Microsoft announced that it is turning off Basic Authentication in Exchange Online and migrating to Modern Authentication (OAuth 2.0). Since then, the company has been regularly publishing reminders requesting customers to switch as soon as possible. In fact, even Google published an advisory saying that customers who are using Calendar Interop to sync meetings between Google Calendar and Exchange Online should move to Modern Authentication.
Today, Microsoft has put out another advisory, warning customers that it will start switching off Basic Authentication from October 1... with a twist.
The deprecation process is interesting though, because it's gradual. Starting from October 1, Microsoft will begin selecting tenants on a random basis and then switching off Basic Authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. It is important to note that the protocol will not be disabled for SMTP AUTH.
Affected tenants will be informed seven days prior to the change and will be notified on the day of the change too. Microsoft has noted that the use of Basic Authentication is still not 0% despite multiple warnings, the company says that:
We recognize that unfortunately there are still many tenants unprepared for this change. Despite multiple blog posts, Message Center posts, interruptions of service, and coverage via tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers aware of the deadline who simply haven’t done the necessary work to avoid an outage.
Our goal with this effort has only ever been to protect your data and accounts from the increasing number of attacks we see that are leveraging basic auth.
However, we understand that email is a mission-critical service for many of our customers and turning off basic auth for many of them could potentially be very impactful.
There is a catch, though. Customers who are still not ready for this configuration change will be allowed to re-enable Basic Authentication again once per protocol. This can be done through the self-service diagnostic tool and the re-enabled Basic Auth protocols will continue to function till the end of December 2022. Starting from the first week of the next year, Microsoft will disable Basic Auth permanently.
In a way, this is more of a "soft" deprecation than a "hard" one, at least in October. That said, December will definitely be the day that Basic Auth dies for most protocols in Exchange Online, provided that Microsoft stays true to its word this time.
Microsoft has also pointed out that:
We’re adding a new capability to Microsoft 365 to help our customers avoid the risks posed by basic authentication. This new feature changes the default behavior of Office applications to block sign-in prompts using basic authentication. With this change, if users try to open Office files on servers that only use basic authentication, they won't see any basic authentication sign-in prompts. Instead, they'll see a message that the file has been blocked because it uses a sign-in method that may be insecure.
If you're an IT admin who is hellbent on using Basic Auth, you should check out Microsoft's guidance here.