Microsoft 365 International will turn off Exchange Online Basic Authentication on October 1

Microsoft recently issued a final reminder: It has been notified in the Microsoft 365 admin center many times before that for the international version of Microsoft 365, the product group will disable basic authentication for Exchange Online on 10/1/2022 (Basic Auth), please tell each other and make sure to take action, please refer to here. If no action is taken, the likely impact is that some users will not be able to connect to their mailboxes.

If it is too late, please refer to here to apply for the last extension (no extension after 1/1/2023).

Why should you disable Basic Authentication?

Technically, basic authentication (also known as legacy authentication) is an HTTP-based authentication scheme. Each time an application makes a connection request to a server, service, or API node, it sends both a username and password and these credentials are stored on the device. This method greatly simplifies the authentication process, but is an ideal hunting target in the face of various means of attackers! Especially without the protection of TLS, they can easily steal the user's identity.

Operationally, basic authentication, while easy to configure, also makes deploying multi-factor authentication more complex and difficult.

As a result, Microsoft has decided to phase out basic authentication globally for users using Exchange Online starting October 1, 2022, and replace it with more advanced, modern authentication. This helps users better safeguard their own interests and improves the security of enterprises and users. Since September 2021, Microsoft has continued to issue reminders (MC345821) through the official website and the "Message Center" in the Management Center and will continue to issue "Message Center" reminders to customers who still use basic authentication every month. Please prepare in advance.

The detailed official schedule is as follows

For tenants not using basic authentication:

• Beginning in June 2021, tenants who have not yet used basic authentication will be notified in the message center that basic authentication will be turned off for that tenant after 30 days, and will be notified again when the shutdown is complete.

For tenants using basic authentication:

• Starting September 2021, multiple reminder notifications will be received in the message center to guide tenant administrators to take relevant actions.

• Starting October 1, 2022, Basic authentication will be permanently deactivated for all tenants already using Basic authentication, and the deactivation process for all tenants will be completed gradually. Microsoft will issue an alert again through the message center 7 days before the shutdown and publish a service health dashboard notification, and then turn off basic authentication. After this time, you cannot apply for an exception in any form.

• Basic authentication will be fully turned off for tenants using Office 365 services operated by 21Vianet on March 31, 2023, after which you cannot apply for an exception in any form.

Likely impacts and their scope

Microsoft will turn off Basic Authentication for the following protocols: Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), and Outlook for Windows / Mac. (For tenants who have not yet used SMTP AUTH, SMTP AUTH will also be turned off)

After the shutdown, any clients (user apps, scripts, integrations, etc.) that used basic authentication for the affected protocols mentioned above will not be able to connect to Exchange Online. The app will receive a message like "HTTP 401 Error: Bad username or password".