Microsoft announced some time ago that basic authentication (standard authentication) will be deactivated in all tenants for the MAPIoverHTTP, EWS, POP, IMAP and ActiveSync protocols in Exchange Online from October 1, 2022.
From October 1, 2022, it will no longer be possible to use Basic-Auth (transfer of username and password via HTTPS) in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows and Mac. Until now, the date of the shutdown was repeatedly postponed, but now the date seems to be fixed.
Under the following link, Microsoft has created a diagnostic option to check whether Basic-Auth is still being used in the tenant:
This small diagnostic function can be used to start a test to determine whether Basic-Auth is still being used:
If the test does not reveal any problems, Basic-Auth should be switched off on 01.10.2022 without any problems:
It could be problematic in older tenants when Modern Authentication was not yet activated by default. For example, there could be older clients or smartphones that still use Basic Authentication. These must then be converted by 1.10. Almost all clients now understand Modern Authentication (OAuth2), but may not yet be configured accordingly.
There are excellent articles here, which also show further diagnostic options:
- https://www.enowsoftware.com/solutions-engine/m365-exchange-online-center/basic-auth-deprecation-aug-2022
- https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437
Also be sure to think about scripts that may have been set up a long time ago and still use Basic-Auth. Even smartphones that were set up a long time ago could still be set to Basic-Auth. All scripts can be switched to certificate-based authentication, all reasonably up-to-date mail apps on smartphones and mail programs can also handle Modern Authentication.
A good test is also to switch off Basic-Auth now and check who is screaming:
If push comes to shove, there is still the option of continuing to use certain protocols for standard authentication. There is an opt-out procedure for this, which follows the process below:
Incidentally, Modern Authentication has also been announced for Exchange 2019, but it is not yet clear when this will be available.