One month from today, we’re going to start to turn off basic authentication for specific protocols in Exchange Online.
Timeline and Scope
As we communicated last year in blog posts and earlier this year in MC375736 , we will start to turn off basic authentication in our worldwide multi-tenant service on October 1, 2022. We will randomly select tenants, send 7-day warning Message Center posts, post Service Health Dashboard notices, and turn off basic auth in the tenant.
We’re turning off basic auth for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS) and Remote PowerShell.
We are not changing any settings or turning off SMTP AUTH.
What If You Are Not Ready for This Change?
We recognize many tenants may still be unprepared for this change.
Today we announced an update to our plan to offer customers who are unaware or otherwise not ready for this change. You can read this announcement here.
What should I do to prepare for this change?
Any client (user app, script, integration, etc.) using basic auth for an affected protocol will be unable to connect. The app will receive an HTTP 401 error: bad username or password. Any app using modern auth for these protocols will be unaffected.
If you are unsure if you have clients or apps that will be affected by this change, you can check the Azure AD Sign-In logs, or just check Message Center for any messages titled, ‘Basic Authentication – Monthly Usage Report’. We will send the usage report for August in the next few days. If you cannot see any of these messages, we have not detected basic authentication on the affected protocols in your tenant.
Message ID: MC424238
Published: 01 September 2022
Updated: 01 September 2022