Exchange Online, SharePoint Development Services
From Microsoft Corporation
Technical Bulletin MC302129 · Published Dec 6, 2021
We’re making some changes to improve the security of your tenant. We announced in 2019 that we would be retiring Basic Authentication for legacy protocols, and in September 2021, we confirmed that we would begin to disable Basic Authentication for in-use protocols beginning October 2022.
We previously communicated this change via Message Center: MC191153 (Sept. ‘19), MC204828 (Feb. ‘20), MC208814 (April ‘20), MC237741 (Feb. ‘21) and MC286990 (Sep. ’21).
You can always read the latest information about our plans to turn off Basic Authentication here.
Based on our telemetry, there may be some users in your tenant currently using Basic Authentication and we expect these users to be affected when these changes take place.
In the month of November, we detected the following usage:
Exchange ActiveSync: 0
Outlook Windows: 0
Outlook for Mac/Exchange Web Services: 0
Exchange Remote PowerShell: 0
Please note these numbers only reflect the count of unique users who have successfully authenticated to these services in the specified month, they do not reflect successful access to mailboxes or data (for example, a user may authenticate using IMAP, but may be denied access to the mailbox due to configuration or policy).
If you want to block users or apps being able to authenticate at all using legacy protocols, we recommend using Authentication Polices.
To investigate this usage further, we recommend you use Azure AD Sign-in Reports which can provide detailed user, IP and client details for these authentications.
How this will affect your organization:
Once this change is made, users in your tenant will be unable to access their Exchange Online mailbox using Basic Authentication and the protocols specified above.
What you need to do to prepare:
We recommend you take steps to investigate the usage of Basic Authentication in your tenant and determine its source. Ask yourself:
- Are these known users or apps within your tenant with valid use cases, or are these unexpected authentication attempts, possibly indicating a breach or unauthorized access?
- Are these connections from out of date or badly configured applications, requiring upgrade or reconfiguration or are these third party (e.g., external) applications, that are integrated with your Exchange Online tenant?
It’s important to begin to understand the use of Basic Authentication in your tenant before it is switched off beginning October 2022.