For many years, applications have used Basic authentication to connect to servers, services, and API endpoints. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services, and is simple to set up.

Simplicity isn’t at all bad, but Basic authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services. Furthermore, the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled.

Basic authentication is an outdated industry standard. Threats posed by it have only increased since we originally announced that we were going to turn it off. There are better and more effective user authentication alternatives.

Microsoft actively recommends that customers adopt security strategies such as Zero Trust (Never Trust, Always Verify), or apply real-time assessment policies when users and devices access corporate information. These alternatives allow for intelligent decisions about who is trying to access what from where on which device rather than simply trusting an authentication credential that could be a bad actor impersonating a user.

With these threats and risks in mind, Microsoft is taking steps to improve data security in Exchange Online. On 1 October 2022 Microsoft will be disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used.

How do you know if your users will be impacted?

There are several ways to determine if you’re using Basic authentication or Modern authentication. If you’re using Basic authentication, you can determine where it’s coming from and what to do about it.

Authentication dialog

A simple way to tell if a client app (for example, Outlook) is using Basic authentication or Modern authentication is to observe the dialog that’s presented when the user logs in.

Basic authentication presents a dialog credential modal box:

On a mobile device, you’ll see a similar web-based page when you authenticate if the device is trying to connect using Modern authentication.

Modern authentication displays a web-based login page: