Starting on October 1, 2022, Microsoft is starting to disable an outdated way of logging into Exchange Online known as “basic authentication.” This outdated method is vulnerable to various forms of password attacks. The newer authentication standard is based on a standard called OAuth and the Microsoft implementation of this standard is called “modern authentication.”
Some customers might run into problems once the outdated log in method is disabled for their organization, such as not being able to sign into email.
When basic authentication is disabled for your organization, and various email clients are still using it, there are two things to know:
- How to temporarily re-enable basic authentication for your organization (which solves the immediate problem of not being able to sign in)
- How to stop using basic authentication permanently (because temporary re-enablement ends on December 31, 2022). Unless you address this, your users will not be able to sign into Exchange Online starting January 2023 when we permanently disable basic authentication.
Let’s cover both of these.
Temporarily re-enable basic authentication for your organization
You can re-enable basic auth in your tenant by using our self-service diagnostic. You launch this self-help diagnostic by clicking this button which will take you to the diagnostic in the Microsoft 365 admin center (if you are a Global admin):
Or, you can open the Microsoft 365 admin center and click the green Help & support button in the lower right-hand corner of the screen:
When you click the Help & support button, you enter our self-help system. Here you can enter the phrase Diag: Enable Basic Auth in EXO and then run the tests. The test results will look like the following (results will vary depending on what we have disabled for your organization):
You can enable basic auth for each protocol you need (one by one). Within an hour (often much sooner) of asking us to re-enable basic auth for a protocol, it will start to work again.
Be aware that by re-enabling basic auth for a protocol, your users and data are more vulnerable to security risks.
Stop using basic authentication permanently
Here are some client-specific tips for you, with links to learn more:
- Outlook for Windows: The first thing to do is to make sure Outlook is up to date and that the organization-wide switch to enable modern authentication is set to True. Without that setting, Outlook for Windows won’t use modern auth. So, make sure it’s turned on. We are turning on the organization setting for customers as we disable basic auth for MAPI/RPC protocols, so this should be enabled already, but it’s worth checking. If things are still not working, check that Outlook has the right registry keys in place.
Note: If you are using Outlook for Windows with POP or IMAP protocol, that will stop working permanently when basic authentication is disabled end of this year. Outlook for Windows does not support modern authentication using POP or IMAP and if you need to keep using those legacy protocols, you will have to use a different email client (for example, Thunderbird).
- Outlook for Mac: if your Outlook for Mac clients insist to keep using basic auth, please see our recent blog post on this subject.
- Exchange ActiveSync: this refers to a protocol used by various native email and calendar apps, such as the Mail app on iOS. All mainstream apps on up-to-date mobile clients support modern auth, but many user devices might still be using basic auth. Removing and re-adding the account from the device should automatically switch it to modern auth.
However, if you use some sort of mobile device management (MDM/MAM) solution, you should use it to deploy new profiles. Here’s how you can use Intune to set the auth mechanism for iPhone and iPad, for example. If you’re using Basic Mobility and Security take a look at this document for some more information on how to fix those devices.
There might also be some less common types of clients that stop working when basic auth is disabled; here is how to work with those:
- POP/IMAP applications: some of our customers use these protocols for application access. Please see this blog post for how to address both interactive and non-interactive apps.
- Exchange Web Service (EWS) applications: EWS supports app-only access and you can use Application Access Policies to control what an app can access. If you have apps using EWS with basic auth, you must either modify the code, or get the app developer to do so. Many partner apps have support for modern auth, they just need to modify their configuration or update to the latest versions.
- PowerShell scripts: If you have scripts, follow this guide to use modern auth within scripts.
Clients that we do not expect to have problems with starting October 1, 2022:
- Outlook for iOS and Android – this client does not use basic authentication when connecting directly to Exchange Online mailboxes.
- Outlook on the web – authenticating with Outlook on the web through your web browser always uses modern authentication if the mailbox is in Exchange Online.
Where can I find more information?
There are several resources that we wanted to provide here as additional reading:
The Exchange Team