Basic Authentication Deprecation in Exchange Online – Time’s Up

You gave people enough time as awareness for this change. No more delay, let it happen 😈. Damned if you do dammed if you don’t.

This will make enabling multi-factor authentication a lot easier by forcing all sign-ins using modern auth and MFA in turn will make phishing attempts less effective.

This Web App helped as quickly find all devices still on basic authentication, it will give you a quick idea if you still have users on basic auth and how many (might be helpful).

Thanks to Microsoft for making email a lot more secure

Finally! A real milestone!

The old legacy protocols is overdue for deprecation…

@itkpli To be clear - we are not deprecating protocols, we are deprecating using various protocols with basic auth.

System.Net.Mail.SmtpClient is deprecated, Legacy Applications don't support modern authentication, MailKit doesn't support confidential client authentication; what more solutions do we have to send an email?

This isn't about letting people know. People are using legacy apps that might not be getting many updates. I paid for a product that had this and then someone just decided to take it. I didn't actually find out about it because my IT department was you know gutted by Covid and I don't read MS press releases. If you don't want it for your account go for it, but don't force it on me because you think oauth is so great. I don't really think oauth 2.0 is a huge improvement and setting it up is cumbersome to say the least. I'd rather seen IP whitelisting and other real security vs trying to fix everything with ever more complicated keys. So you have the key and you are in Russia you can still get in? What the heck are we all smoking.

We are going to workaround this with a proxy etc, but honestly I just wish there where real alternatives to Exchange in that corporate America would consider, because this is what monoplistic behavior looks like.

Hi everyone, 

Just had one query we are using office 365 for email functionalities and using smpt , IMAP and POP3 in our application and scripts what will be the timeline for disabling basic auth as I see recent dates it's something around 1 March 2023 . Is there option to avoid this disablement of basic auth for impacted protocol till migration with modern authentication techniques ? 

So reading between the lines, there will be 7 days grace ... so shutdown will be from 7 January not 1 January? I inherited a system I am in the process of moving to use OAuth2 ... do I have 7 more days or not (at least, depending on when we are going to be notified?). And I agree with Eric Twilegar ... not everyone had 3 years ... sanctimonious comments from some ppl is not helping.

@Hifni Nazeer - we're not disabling basic for SMTP AUTH just yet, you can keep using basic for the time being. 

@Mahesh15 - time is up. We will be disabling basic for POP and IMAP (and more) in January. 

@madmax786 - somewhat correct - you'll get a 7-day warning. So if you haven't had one yet, you still have (at least) 7 days. 

There is one thing that is baffling to me as to why is SSL is the ONLY option for oauth 2.0?  In testing I had TLS enabled but it didn't work.  Soon as I switch it to SSL it works fine.   SSL is depreciated in favor of TLS.  I realize this is just for authentication but isn't the whole point of big push to oauth 2.0 is to protect the accounts?

Since new year I can not read work mail using the latest thunderbird or apple mail (iphone) clients.

I switched to SSL/TLS OAuth2 a couple of months ago when I could no longer authenticate. This time, however, thunderbird says I'm authenticated but that INBOX can not be opened.

If I establish a VPN connection work then everything works as it should also with thunderbird.

The outlook client works without having to use VPN.

So what's up?

@NoahD1330 - not sure that's the issue, OAuth 2.0 works just fine with TLS. Are you using TLS 1.2? Preparing for TLS 1.2 in Office 365 and Office 365 GCC - Microsoft Purview (compliance) | Microsoft ... 

@Tipo874 - Were security defaults enabled in the tenant? Raising the Baseline Security for all Organizations in the World - Microsoft Community Hub 

Things started working all of a sudden. I assume someone found a problem and fixed it. 

Have these message started showing up in tenants yet?

Also, where exactly will these alerts be?  If in the Message Center aren't those messages everyone sees?

Thanks

Microsoft will put a banner on top of your main Admin page.  This happened to our account a few months ago which scared me because the ticketing server at the time can only use basic auth.  We only use three mailboxes just for the ticketing server with basic auth.  All of my users are using modern auth so honestly don't know why Microsoft couldn't make an exception for those with basic auth to secure it with conditional access like trusted IPs? 

From what I've been reading lately Microsoft will start notifying rest of the office 365 admins pretty soon.  Probably middle of this month.

When we select your tenant we will both post a message to Message Center, and we'll post to the Service Health Dashboard too, both giving you 7 days (approx) warning. Tenants are being selected every day currently. We're not doing it all in one go, my friends in support wouldn't appreciate that. 

Thanks for the heads up so we know this is actually happening.

Keeping an eye on the Message Centre and the Health Service Dashboard.

Just to keep on top of this change!

@SkipTallis I realize that there can be a lot of stuff there... but it might be a good idea to set up a weekly digest email for MC posts going forward too. Obviously for this "7-day warning" this will not really work, but going forward, it might be a good way to keep tabs on future changes that might be impactful for your particular tenant.

Will the only way to authenticate third party applications to use Microsoft 365 mailbox be through OAuth?

App passwords will not serve as authentication as its done at Google?

In Hotmail after enabling MFA we can create app password and then authenticate smtp/imap clients with email/app password. Will the exchange not follow this logic?

@RodrigoBPT - Correct, OAuth only. No app passwords. 

Then this guide https://support.microsoft.com/en-us/account-billing/using-app-passwords-with-apps-that-don-t-support... really doesnt apply for microsoft 365/exchange emails? Then what are app passwords in microsoft 365 for?

There is no configuration that can be done on the tenant to allow basic authentication? Not even for SMTP?

@Cermissoes - That doc applies to MSA, not M365 accounts. SMTP can still use basic, as this blog states.... 

@Greg Taylor - EXCHANGE 

I saw that it is possible to create an application password in microsoft 365, but what is it for?

And apart from SMTP, no other protocol will be able to use basic authentication. No settings will be available, its right?

Thanks

Application password is just another way of not using your normal password.  This is my preferred method for applications in case if it ever gets compromised.   I can generate another application password without messing around with my current password.

You should be able to use application password for SMTP as basic auth will continue to work for that protocol.

I am now going on day three of not being able to access the Microsoft products we paid for. This has grinded our entire organization to a halt. I have called several times and each time they tell me I have to wait for a technician to call me back in order to do something as simple as reset a password. Nobody is calling me and this issue is not getting resolved. I am astounded at what a ridiculously stupid policy it is that causes businesses to go without e-mail, a cloud, or calendar for several days (weeks?) thereby losing revenue. I am even more astounded at the horrible customer service. Since this is causing businesses to lose money, it sure seems like there is a potential for a class action lawsuit. 

this is good 

how to access my email

Hello! The CUI (VAT ID) does not appear on the subscription invoice, although I have given this data. Why? and what can be done?

My tenant finally got the notice this morning which is what I was expecting.  However,  we're using hybrid exchange environment meaning still running Exchange 2010 on-prem only to maintain the distribution lists until I get them moved to Office 365 and then finally retire that server.   No outside access to Exchange 2010's webmail except office 365 to connect for migrations.  All of my users only connect to Office 365 for their e-mails.

Will this change of turning off basic auth affect my on-prem Exchange 2010 server to connect to Office 365 or that's on it's own connection entirely?

I did look at the basic auth connectivity report and it only show connections between Office 365 and our ticketing server which I will upgrade to use Oauth2.   Nothing about Exchange 2010 so wanted to confirm.

how to allow application shortcut in domain user pc without admin login id and password

Hi @Nino_Bilic & @The_Exchange_Team 

Can you confirm if a 'Major Update' email is sent out when a tenant is selected for the 7 day notice?

The org I work for does have Message Center emails configured however these appear to be intermittent to sporadic at best.

Message Center shows MC496142 · Published 10 Jan 2023 and no email was received.

I do have an ongoing support case regarding this which doesn't seem to be getting anywhere.

When raising a case there is no suitable category for Message Center so it appears to be bouncing around people who don't have the knowledge or expertise.

Thank You

@jd- Major Update / Retirement is how they are categorized. Send me your tenant ID directly and I'll reach out to the MC team directly. 

This was anticipated, but now officially sinks my connection between outlook and gmail and using gmail as my 1 place.   Microsoft has killed off Basic authentication that was in use by gmail to set up POP3.   Gmail doesn't seem to want to do anything to change to modern authentication for their POP3 connections.  The consumer, stuck in the middle, is screwed.  Way to go technology !

What about Direct Send option? Connectors? will this work? SMTP Relay?

There is no perfect workaround.  I'm doing a forward from Outlook, after having to set an anti-spam outbound rule on my Outlook exchange account on my email address.  Then set a filter in Gmail for the emails coming to my company to skip the Inbox and get applied to my company labeled folder.  As with a lot of technology solutions, it should be easier.

This weekend I lost access to my one and only business license for Office 365.  I don't understand the directions that say to assign my work email to the corporate tenant account. I looked in admin and don't see a way to do this. I went ahead and created a free 30 day trial to work this weekend, but there is no customer support available.  How do I proceed? 

@dggarcia - this doesn't sound like it's related to the change covered in this blog at all to be honest. If you are in the US, you can always try reaching support at 1 (800) 642-7676 - and looking at the options here - https://support.microsoft.com/en-us/contactus 

@Maciej35 - SMTP is not affected as this blog states 

I am an unsophisticated user and do not understand the technical jargon involved here. All I know is that I keep gettin a request to enter my Exchange password. Can you tell me in simple terms what I need to do?

You need to enable Multi-Factor Authentication for your email account. In the MS Admin Center you will go to active users>Select Multi-Factor Authentication>Then search for the user that you need to turn it on for>Select User>Then click on enable under "quick steps". 

Hi Greg.  This appears to only apply to Exchange Online.  Does it apply to Azure AD user accounts also?  And\or what is the timeline for Azure AD user accounts to have basic authentication deprecated?

No, it does not. Here is little explanation from MS of what is taking place. 

We're removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Autodiscover, Outlook for Windows, and Outlook for Mac.

We're also disabling SMTP AUTH in all tenants in which it's not being used.

This decision requires customers to move from apps that use basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they are issued, so they cannot be reused. Enabling and enforcing multifactor authentication (MFA) is also simple with Modern authentication.

@Steve_Harris - not sure the answer @mozzey gave is guaranteed to help, as this depends a lot on the client app or software you are using. If you just want access to email, either use the browser (go to https://outlook.office365.com) or update to the latest version of Office/Outlook. If you are using a mobile device, make sure it's up to date, and try removing and adding back your account to the app, or just switch to Outlook mobile. 

@ToddAlbers_Summit - this change only applies to Exchange Online. I can't give you information on anything outside of that, sorry. 

Terrible

I am not too thrilled with this change but it's what it is.  I'm actually upgrading our ticketing server now to make use of Oauth2.  If that doesn't work then I'll just forward the ticket e-mails from Office 365 to our on-prem Exchange temporarily so the ticketing server can fetch the e-mails.  I think our tenant is gonna have this feature turned off today or tomorrow so not alot of time to test and get it working fully.

Warning: Rant ahead, but also giving my work-around (this Python OAuth proxy: https://github.com/simonrob/email-oauth2-proxy.) in case helps anyone else.

I knew this was coming for ages (and even put in the last-minute extension that was offered towards the end of 2022). Today was the day that the tenant that I primary manage got the gauntlet thrown down and basic auth off for good. As I am terrible about checking message center and even message center email notifications get "eaten alive" in my mailbox, the way I discovered this was that I stopped getting helpdesk emails today.

There are apps out there that have no plans to add OAuth support anytime soon (and plenty of legacy apps that we can't get rid of that will NEVER get OAuth authentication support added).

Yes, I completely take responsibility for not dealing with this sooner (I had PLENTY of warnings), but gosh darn it, it just irritates me to no end that Microsoft can't allow us to specifically allow basic auth for specific mailboxes (or even, not what I would really want, but would let me get by, is if, as others have suggested, why not allow us to IP whitelist (even if at the mailbox level). I am fine requiring OAuth for all end-users, but Microsoft, WHY COULDN'T YOU PLEASE let us admins have a way to continue to manually enable basic auth on a mailbox level?!?!?!?!?!?!?

Again, I take total responsibility, but man, many of us don't have large IT teams and have to wear many hats, and dealing with this again, just stinks, as I've had to drop quite a few hours from other projects that have really also needed my attention (Network-Systems Admin for 3 small school districts, you get to wear many hats, and short staffed to start with, and then losing a major tech staff member, it's hard to keep sane and to decide which ship to keep from sinking each week.

Also, not the Exchange team's call, but would be nice to talk with the Outlook team to see if any chance they might at OAuth2 authentication support to POP, IMAP, and SMTP connections to Exchange? (Though not every-day user use cases, there are indeed use cases where IMAP or POP are still appropriate connection methods)

Apologies, rant mode off....

The work-around that I did figure out and (thankfully) got tested last November with the help a tech assistant was to use a Python OAuth proxy. https://github.com/simonrob/email-oauth2-proxy.

As, I've unfortunately never done much with Python up to this point, I haven't had the time to figure out how to run this script in non-GUI mode, as a service, and how to shrink it's Python footprint. So, for time being, I'm remoting into our helpdesk server upon each server reboot to verify that the proxy is running and functioning. But, as of this evening, the proxy is working and our helpdesk system can again access and is processing incoming ticket emails!

And, as much as I may strongly disagree with the specifics of these authentication policy changes, I do appreciate everything the Exchange and other Microsoft Azure and other teams members do. It's not an easy task supporting a workload of millions of daily users and workloads but they do it!

I totally agree why couldn't Microsoft allow those special mailboxes to make use of trusted IPs to bypass modern auth requirements as they're service accounts not used by users.

Basic OFF by tomorrow! Oauth ON!

Two IMAP configured mailboxes, and just got there in the nick of time. This was not without about a weeks worth of effort to flatten out quite a few issues, version updates etc, and we still have an overhang of relaxing a spam filters to allow our app to work, in its latest version.

Still better than getting no email at all eh!

Oauth could be Oawful for some I suspect.

We received the 7 days notice on the 18th. Do we get a 1 day notice because it is not very clear if it will switch off on the 25th since it uses the term 'approximately 7 days'. Desperately trying to bring an old Delphi application using outdate IDE's into the modern era here ... running into issues, so just wondering where my stress level should be. 

7 Day notice is just that 7 days.  Then any day after 7th day will get shut off.  I too would like to get notice exactly when but with thousands of tenants I can see why it's not possible.