Microsoft will discontinue basic authentication functionality for Exchange Online as of October 1, 2022. Users must switch to Modern Authentication by then in order to retain all Exchange Online functionality.
Microsoft stated that shutting down basic authentication functionality as of October 1 should greatly improve the security of Exchange Online in a blog post.
Basic authentication is an old protocol that allows applications to send plain text login credentials to servers, endpoints or online services via HTTP. The protocol is very sensitive to man-in-the-middle attacks via TLS. As a result, login credentials can easily be obtained through social engineering or data-stealing malware. Basic authentication also makes it very difficult to apply multi-factor authentication (MFA).
Modern Authentication, an umbrella term for multiple authentication and authorization methods, uses so-called OAuth access tokens that cannot be reused for authentication on sources other than those they were originally used for. MFA can be applied to Modern Authentication very easily. This should improve the security of Exchange Online.
Timeframe of three years
The end of basic authentication started three years ago. The first announcements were made as early as September 2019. Customers were requested to turn off basic authentication in September 2021 and in May of this year. Many users had yet to switch to Modern Authentication at that time.
Microsoft will turn off basic authentication for various Exchange Online protocols starting October 1, 2022. The protocols are MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS) and Remote PowerShell. Users will no longer have access to these protocols in Exchange Online.
Microsoft will provide users with an opt-out setting. The setting allows basic authentication to be retained after 1 October. Users that opt in and want to restore their protocols at a later date can do so until December 22 via the self-service diagnostic tool. However, no one can escape the final phase-out of basic authentication, which starts in the first week of January 2023.