Microsoft today warned that Exchange Online Basic authentication will be permanently disabled beginning January 2023 in order to increase security.
“Beginning January 1, we will send Message Center messages to tenants affected by the change in configuration to disable Basic auth for protocols within scope.” The Exchange Team .
“Soon after basic auth is permanently disabled, any clients or apps connecting using Basic auth to one of the affected protocols will receive a bad username/password/HTTP 401 error.”
Redmond issued multiple warnings and reminders over the past three years. The first was published in , and then two additional in and . Many customers had delayed changing to modern authentication.
CISA also encouraged government agencies as well as private sector organisations to use Microsoft Exchange’s cloud email platform in June with no multifactor authentication (MFA), to modern auth options.
A new warning stated that basic auth will be disabled for random tenants around the world starting October. There is an option to restart a protocol at any time until December.
For Exchange ActiveSync, POP, IMAP and Remote PowerShell, (RPS), Exchange Web Services, (EWS), Offline address Book (OAB), Autodiscover and Outlook (for Windows or Mac), the outdated Exchange Online basic authentication login method will be removed.
All tenants who do not use the SMTP AUTH protocol for email submissions to clients will have it disabled.
This protocol will not be able to be used for basic auth purposes permanently in the first week January 2023. There is no possibility of it being reactivated.
Microsoft claims it’s already removed basic authentication from millions of tenants who weren’t using it, and turned off any protocols that tenants were still using to prevent attacks using this unsecure login system.
According to Seth Patton, Microsoft 365 General Manager Seth Patton in September, “Our has shown that over 99 percent of password-spray attacks exploit the presence of Basic Authentication.”
The same study also found that more than 97 percent credential-stuffing attacks are using legacy authentication. Customers who have disallowed Basic authentication have had 67 percent fewer breaches than customers who continue to use it.
Customers may experience issues after basic auth has been removed. For example, they might not be able to log into Exchange Online beginning January 2023.
Also, the Exchange Team shared extensive information so that Exchange Online emails applications do not ask for passwords or sign in no more.
“We are making this change in order to protect your tenant, data and from increasing risks associated Basic auth,” the Exchange Team said.
“Calling support won’t help, because they can’t re-enable Basic Auth for you.”