Deprecation of basic authentication in Exchange Online


Microsoft has announced the deprecation of Basic authentication in Exchange Online. Basic authentication will be permanently disabled in Exchange Online on October 1st, 2022. More specifically, Microsoft is removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac. The SMTP AUTH option will also be disabled in all tenants in which it’s not being used. All new Microsoft 365 tenants are created with Basic authentication turned off, since this is part of the Security defaults configuration.

Basic authentication, also known as legacy authentication, means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services, and is simple to set up.

Modern authentication is the successor technology of basic authentication and uses OAuth 2.0 token-based authorization.

Action items for end customers

There are various ways to tell if your applications are using basic authentication and not modern authentication to connect to Exchange Online. For Microsoft Outlook client, if you click CTRL and right-click the Outlook icon in the system tray, then click “Connection Status”, the Authn column in the Outlook Connection Status dialog shows the value of Clear for basic authentication and the value of Bearer for modern authentication. You can also use the Azure AD sign-in report to determine which tenants and users are still using basic authentication.

Modern authentication to Exchange Online presents a Web-based login screen such as the following.

Basic authentication on the other hand presents a Windows form similar to the following.

To enable or disable modern authentication for your M365 tenant, follow instructions in the article below:

The following cases will be impacted by the replacement of basic authentication with modern authentication: