April 3rd, 2020

Deferred end of support date for Basic Authentication in Exchange Online

Last year we announced end of support for Basic Authentication for Exchange Web Services (EWS), Exchange Active Sync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and Remote PowerShell (RPS) in Exchange Online.

In response to the COVID-19 crisis and knowing that priorities have changed for many of our customers we have decided to postpone disabling Basic Authentication in Exchange Online for those customers still actively using it until the second half of 2021. We will provide a more precise date when we have a better understanding of the impact of the situation. This means that existing applications that are using Basic Authentication to connect to Exchange Online using one or more of the above API’s/protocols will continue to work for existing customers with active usage and developers now have additional time to migrate such apps to use Modern Authentication.

In the meantime, we will continue to disable Basic Authentication for newly created tenants by default.  Starting in October 2020 we will also start to disable Basic Authentication in tenants that have no recorded usage. This means that applications that are using Basic Authentication to connect to Exchange Online might face authentication failures when adopted by a customer who is new to Exchange Online or has not used Basic Authentication applications before. The best way to avoid such failures in your application is to adopt Modern Authentication. If you are unable to do so, you can work with the customer’s administrators, who will have to make a security decision to downgrade their organization’s security stance, to explicitly enable access to your application.

We continue to invest in Modern Authentication capabilities and will continue rolling out OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell. We will publish more details on these as we make progress. If you have not done so already, we strongly encourage you to move to OAuth for the security benefits it offers to your applications and customers.

The Exchange Team