September 20th, 2019

End of support for Basic Authentication access to Exchange Online API’s for Office 365 customers

For many years we’ve supported Basic Authentication based connections to Exchange Online. Basic Authentication means that the client application passes the username and password with every request. Although simple to setup and use, Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials and increases the chance of credential re-use against other endpoints or services.

Over time, we’ve introduced Modern Authentication, which is based upon OAuth 2.0 for authentication and authorization. Modern Authentication is a more secure method to access data as compared to Basic Authentication. Last year, we decommissioned Basic Authentication on Outlook REST API and announced that on October 13th, 2020 we will stop supporting Basic Authentication for Exchange Web Services (EWS) to access Exchange Online.

Today, we are announcing that on October 13th, 2020 we will stop supporting and retire Basic Authentication for Exchange Active Sync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and Remote PowerShell (RPS) in Exchange Online. This means that new or existing applications using one or more of these API’s/protocols will not be able to use Basic Authentication when connecting to Office 365 mailboxes or endpoints and will need to update how they authenticate.

Please note this change does not affect SMTP AUTH and we will continue to support Basic Authentication for it in Exchange Online at this time. With the large number of solutions, devices, and appliances that use SMTP for sending mail we are working on ways to further secure SMTP AUTH and will continue to update you as we make progress. This change also does not impact on-premises versions of Exchange Server and only applies to Exchange Online.

To make it easier to migrate your existing applications to use OAuth 2.0, we are making significant investments to our service that include OAuth 2.0 support for POP, IMAP, and background application support for Remote PowerShell MFA module. We will be sharing more information on these new features over the coming months. For more information on OAuth 2.0 and details on how to make the transition, please refer to the following articles:

Microsoft identify platform (v2.0) overview Getting started with OAuth2 for Microsoft Graph

We understand changes like this may cause some inconvenience, but we are confident it will enable more secure experiences for our customers. Thank you for helping to update and secure your integrations with Exchange Online and Office 365. We remain committed to empowering developers to build innovative, secure applications on Office 365 and we strongly encourage you embrace Microsoft Graph and OAuth 2.0 to access Exchange Online data and gain access to the latest features and functionality.

Reach out to us on stack overflow with the tag [exchange-basicauth] if you have questions around migrating away from Basic Authentication.

The Exchange Team