{"id":5928,"date":"2021-02-05T15:25:20","date_gmt":"2021-02-05T23:25:20","guid":{"rendered":"https:\/\/officedevblogs.wpengine.com\/?p=5928"},"modified":"2021-11-17T12:40:19","modified_gmt":"2021-11-17T20:40:19","slug":"basic-authentication-and-exchange-online-february-2021-update","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/basic-authentication-and-exchange-online-february-2021-update\/","title":{"rendered":"Basic Authentication and Exchange Online \u2013 February\u00a02021\u00a0Update\u00a0"},"content":{"rendered":"

We previously\u00a0<\/span>announced<\/span><\/a>\u00a0we\u00a0would\u00a0begin to disable\u00a0Basic Auth for\u00a0five\u00a0Exchange Online\u00a0protocols in the second half of 2021.\u00a0Due to\u00a0the\u00a0pandemic\u00a0and the\u00a0effect\u00a0it has on priorities and\u00a0work patterns,\u00a0we are\u00a0announcing some important changes to our plan to disable Basic Auth in Exchange Online.\u00a0Please read this post carefully, as there\u2019s a lot of\u00a0detail.<\/span>\u00a0<\/span><\/p>\n

The\u00a0first\u00a0change is that\u00a0until further notice,\u00a0we will not be\u00a0disabling Basic Auth for\u00a0any\u00a0protocols\u00a0that\u00a0your tenant is\u00a0<\/span>using<\/span><\/i><\/b>. When we\u00a0resume\u00a0this\u00a0program,\u00a0we will provide a minimum of twelve\u00a0months notice\u00a0before\u00a0we\u00a0block the use of Basic Auth\u00a0on any protocol\u00a0being used.\u00a0<\/span>\u00a0<\/span><\/p>\n

We will continue with\u00a0our\u00a0<\/span>plan<\/span><\/a>\u00a0to\u00a0<\/span>disable\u00a0Basic Auth for protocols\u00a0that\u00a0your tenant\u00a0is\u00a0<\/span><\/b>not<\/span><\/i><\/b>\u00a0using<\/span><\/b>. Many\u00a0customers\u00a0don\u2019t know\u00a0that unneeded legacy protocols\u00a0remain\u00a0enabled in their tenant. We\u00a0plan to\u00a0disable\u00a0Basic\u00a0Auth for\u00a0these unused protocols\u00a0to prevent\u00a0potential\u00a0mis-use.\u00a0We will\u00a0do this based on\u00a0examining\u00a0recorded usage of these protocols\u00a0by\u00a0your tenant, and\u00a0we\u00a0will send Message Center posts\u00a0providing 30\u00a0days notice\u00a0of\u00a0the\u00a0change\u00a0to\u00a0your\u00a0tenant.\u00a0This\u00a0work\u00a0will begin\u00a0in\u00a0a\u00a0few months.\u00a0<\/span>\u00a0<\/span><\/p>\n

The next change to the previously announced plan is that we are adding MAPI, RPC,\u00a0and Offline Address Book (OAB)\u00a0to the protocols\u00a0included\u00a0in this effort to\u00a0further\u00a0enhance\u00a0data\u00a0protection.\u00a0<\/span>\u00a0<\/span><\/p>\n

As clarified in previous blogs,\u00a0Outlook depends upon\u00a0Exchange Web Services (EWS)\u00a0for core features;\u00a0therefore,\u00a0tenants using\u00a0Basic\u00a0Auth with\u00a0Outlook\u00a0must\u00a0enable\u00a0Modern Auth\u00a0before\u00a0Basic Auth for EWS\u00a0is\u00a0disabled.\u00a0Outlook uses\u00a0only\u00a0one type of\u00a0authentication\u00a0for all connections to\u00a0a\u00a0mailbox,\u00a0so including\u00a0these protocols\u00a0should\u00a0not\u00a0adversely\u00a0affect\u00a0you.\u00a0If EWS has Basic Auth disabled, Outlook won\u2019t use\u00a0Basic\u00a0Auth\u00a0for any of the other protocols or endpoints it needs to access.\u00a0<\/span>\u00a0<\/span><\/p>\n

At this time, we are not including\u00a0AutoDiscover, another protocol and endpoint used by Outlook.\u00a0There are\u00a0two\u00a0reasons for this.\u00a0First,\u00a0AutoDiscover\u00a0doesn\u2019t provide access to\u00a0user\u00a0data;\u00a0it only provides\u00a0a pointer to the\u00a0endpoint\u00a0that the\u00a0client\u00a0should\u00a0use to access data. Second,\u00a0as long as\u00a0a\u00a0tenant\u00a0has\u00a0some\u00a0EWS or\u00a0Exchange ActiveSync (EAS)\u00a0usage,\u00a0AutoDiscover\u00a0is necessary\u00a0for\u00a0client configuration. Once Basic Auth is\u00a0disabled\u00a0for\u00a0the vast majority of\u00a0tenants, we\u2019ll\u00a0consider disabling Basic Auth\u00a0for\u00a0AutoDiscover.\u00a0<\/span>\u00a0<\/span><\/p>\n

Finally, we are aligning our plans\u00a0with those for\u00a0SMTP\u00a0AUTH. We had\u00a0<\/span>previously announced<\/span><\/a>\u00a0that\u00a0we would\u00a0begin to\u00a0disable SMTP\u00a0AUTH\u00a0for newly created tenants\u00a0(and have already done so), and\u00a0that\u00a0we would expand this to disable\u00a0SMTP\u00a0AUTH\u00a0for tenants who do not use it. We are continuing to do that, but we will\u00a0include SMTP\u00a0AUTH\u00a0in all future communications and\u00a0Message Center\u00a0posts\u00a0to make it easier for you to\u00a0track\u00a0the overall plan.\u00a0<\/span>\u00a0<\/span><\/p>\n

In summary, we have postponed disabling Basic Auth\u00a0for protocols\u00a0in active use by\u00a0your tenant\u00a0until further notice, but we will\u00a0continue to\u00a0disable Basic Auth for\u00a0any\u00a0protocols you are not\u00a0currently\u00a0using.\u00a0The\u00a0overall\u00a0scope of this change\u00a0now covers\u00a0EWS, EAS, POP, IMAP, Remote PowerShell, MAPI, RPC,\u00a0SMTP AUTH\u00a0and OAB.\u00a0<\/span>\u00a0<\/span><\/p>\n

How will I know when my tenant is affected?\u00a0<\/strong><\/p>\n

We will\u00a0publish\u00a0a\u00a0major\u00a0change Message Center post\u00a0to your tenant\u00a030 days prior to disabling Basic Auth for any protocols in your tenant. Major changes also\u00a0trigger email notifications.\u00a0We will\u00a0also\u00a0publish\u00a0a Message Center post when we have made the\u00a0actual\u00a0change.<\/span>\u00a0<\/span><\/p>\n

What if\u00a0 my tenant is using one of these protocols?\u00a0<\/strong><\/p>\n

If your tenant is\u00a0using\u00a0any of these\u00a0protocols\u00a0in the 30 days\u00a0prior to us\u00a0randomly\u00a0selecting your tenant for\u00a0potential\u00a0inclusion,\u00a0we won\u2019t\u00a0disable them.\u00a0Should\u00a0you find a\u00a0Message Center\u00a0post to the contrary, please\u00a0let us know (details\u00a0on how to\u00a0let us know\u00a0will be in the\u00a0Message Center\u00a0post) and we\u2019ll exclude you from the change.\u00a0You\u2019ll be able to do this\u00a0right\u00a0up until we disable these protocols for good\u00a0(at a future date).\u00a0<\/span>\u00a0<\/span><\/p>\n

How do I know if my tenant is currently using one of the impacted protocols?\u00a0<\/strong><\/p>\n

If you aren\u2019t sure if you are using Basic Auth with any of the impacted\u00a0protocols\u00a0you can use the Azure AD Sign-In Logs to look at usage in your tenant. Read\u00a0more about\u00a0that\u00a0<\/span>here<\/span><\/a>.\u00a0<\/span>\u00a0<\/span><\/p>\n

What happens if I missed the message center post and need these protocols re-enabled?\u00a0<\/strong><\/p>\n

We\u00a0are\u00a0building\u00a0the capability\u00a0to allow you to\u00a0re-enable the protocols yourself\u00a0via Support Central in the Microsoft 365\u00a0admin\u00a0center.\u00a0If you find yourself in this situation,\u00a0you\u2019ll be able to\u00a0request help in\u00a0the\u00a0Microsoft 365 admin\u00a0center, and\u00a0we\u2019ll allow\u00a0you\u00a0to re-enable\u00a0these protocols until we disable them in the future.\u00a0<\/span>\u00a0<\/span><\/p>\n

How does this change affect authentication policies?\u00a0<\/strong><\/p>\n

The switch we use\u00a0to disable Basic Auth for unused protocols is not\u00a0available\u00a0to tenant admins (with the exception of\u00a0the switch for\u00a0SMTP Auth).\u00a0You\u00a0won\u2019t\u00a0see any changes\u00a0or additions\u00a0to your existing\u00a0authentication\u00a0policies (if you have any)\u00a0and our change will take precedence over any policies you might have.\u00a0We understand this might be a bit confusing,\u00a0so\u00a0we\u00a0wanted to note it here.<\/span>\u00a0<\/span><\/p>\n

\u00a0<\/span><\/p>\n

We hope this change\u00a0is\u00a0good news for\u00a0those\u00a0of you\u00a0who needed more time to complete\u00a0a\u00a0transition from Basic Auth.<\/span>\u00a0<\/span><\/p>\n

The Exchange Team<\/span>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Due to\u00a0the\u00a0pandemic\u00a0and the\u00a0effect\u00a0it has on priorities and\u00a0work patterns,\u00a0we are\u00a0announcing some important changes to our plan to disable Basic Auth in Exchange Online.<\/p>\n","protected":false},"author":69080,"featured_media":25159,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[39,22,12],"class_list":["post-5928","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-identity-platform","tag-authentication","tag-azure-ad","tag-outlook"],"acf":[],"blog_post_summary":"

Due to\u00a0the\u00a0pandemic\u00a0and the\u00a0effect\u00a0it has on priorities and\u00a0work patterns,\u00a0we are\u00a0announcing some important changes to our plan to disable Basic Auth in Exchange Online.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/5928","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/69080"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=5928"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/5928\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/25159"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=5928"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=5928"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=5928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}