Basic Authentication and Exchange Online – February 2021 Update
We previously announced we would begin to disable Basic Auth for five Exchange Online protocols in the second half of 2021. Due to the pandemic and the effect it has on priorities and work patterns, we are announcing some important changes to our plan to disable Basic Auth in Exchange Online. Please read this post carefully, as there’s a lot of detail.
The first change is that until further notice, we will not be disabling Basic Auth for any protocols that your tenant is using. When we resume this program, we will provide a minimum of twelve months notice before we block the use of Basic Auth on any protocol being used.
We will continue with our plan to disable Basic Auth for protocols that your tenant is not using. Many customers don’t know that unneeded legacy protocols remain enabled in their tenant. We plan to disable Basic Auth for these unused protocols to prevent potential mis-use. We will do this based on examining recorded usage of these protocols by your tenant, and we will send Message Center posts providing 30 days notice of the change to your tenant. This work will begin in a few months.
The next change to the previously announced plan is that we are adding MAPI, RPC, and Offline Address Book (OAB) to the protocols included in this effort to further enhance data protection.
As clarified in previous blogs, Outlook depends upon Exchange Web Services (EWS) for core features; therefore, tenants using Basic Auth with Outlook must enable Modern Auth before Basic Auth for EWS is disabled. Outlook uses only one type of authentication for all connections to a mailbox, so including these protocols should not adversely affect you. If EWS has Basic Auth disabled, Outlook won’t use Basic Auth for any of the other protocols or endpoints it needs to access.
At this time, we are not including AutoDiscover, another protocol and endpoint used by Outlook. There are two reasons for this. First, AutoDiscover doesn’t provide access to user data; it only provides a pointer to the endpoint that the client should use to access data. Second, as long as a tenant has some EWS or Exchange ActiveSync (EAS) usage, AutoDiscover is necessary for client configuration. Once Basic Auth is disabled for the vast majority of tenants, we’ll consider disabling Basic Auth for AutoDiscover.
Finally, we are aligning our plans with those for SMTP AUTH. We had previously announced that we would begin to disable SMTP AUTH for newly created tenants (and have already done so), and that we would expand this to disable SMTP AUTH for tenants who do not use it. We are continuing to do that, but we will include SMTP AUTH in all future communications and Message Center posts to make it easier for you to track the overall plan.
In summary, we have postponed disabling Basic Auth for protocols in active use by your tenant until further notice, but we will continue to disable Basic Auth for any protocols you are not currently using. The overall scope of this change now covers EWS, EAS, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH and OAB.
How will I know when my tenant is affected?
We will publish a major change Message Center post to your tenant 30 days prior to disabling Basic Auth for any protocols in your tenant. Major changes also trigger email notifications. We will also publish a Message Center post when we have made the actual change.
What if my tenant is using one of these protocols?
If your tenant is using any of these protocols in the 30 days prior to us randomly selecting your tenant for potential inclusion, we won’t disable them. Should you find a Message Center post to the contrary, please let us know (details on how to let us know will be in the Message Center post) and we’ll exclude you from the change. You’ll be able to do this right up until we disable these protocols for good (at a future date).
How do I know if my tenant is currently using one of the impacted protocols?
If you aren’t sure if you are using Basic Auth with any of the impacted protocols you can use the Azure AD Sign-In Logs to look at usage in your tenant. Read more about that here.
What happens if I missed the message center post and need these protocols re-enabled?
We are building the capability to allow you to re-enable the protocols yourself via Support Central in the Microsoft 365 admin center. If you find yourself in this situation, you’ll be able to request help in the Microsoft 365 admin center, and we’ll allow you to re-enable these protocols until we disable them in the future.
How does this change affect authentication policies?
The switch we use to disable Basic Auth for unused protocols is not available to tenant admins (with the exception of the switch for SMTP Auth). You won’t see any changes or additions to your existing authentication policies (if you have any) and our change will take precedence over any policies you might have. We understand this might be a bit confusing, so we wanted to note it here.
We hope this change is good news for those of you who needed more time to complete a transition from Basic Auth.
The Exchange Team