News

Exchange Online's Basic Authentication Deadline Pushed to 2021

• By Kurt Mackie
• 04/03/2020

The end date for Basic Authentication on Exchange Online has been postponed to the "second half of 2021" from the originally planned Oct. 13, 2020, Microsoft said on Friday.

Microsoft attributed the delay to uncertainties surrounding the "COVID-19 crisis." The company will announce a more precise end-of-support date in the future.

The extension is just for organizations currently using Basic Authentication with Exchange Online. New Exchange Online tenancies will still get Basic Authentication disabled by default. Microsoft also will disable Basic Authentication if it detects that Basic Authentication isn't being used.

Organizations using Exchange Server on-premises or in "hybrid" scenarios aren't subject to Microsoft's end-of-support change.

Organizations dealing with the end of Basic Authentication likely will experience some pains in upgrading systems. The change affects their use of Remote PowerShell. They'll also have to check which Outlook clients are used with the Exchange Online service. Outlook 2016 and Outlook for Mac 2016 and newer clients don't use Basic Authentication, but older Outlook clients may be using it.

Microsoft specifically wants to end Basic Authentication support when it's used with protocols such as Exchange ActiveSync, Post Office Protocol (POP) and Internet Message Access Protocol (IMAP).

Microsoft instead wants Exchange Online users to switch to so-called "modern authentication," which is based on OAuth 2.0 tokens and the Active Directory Authentication Library.

Microsoft did indicate back in February of last year that it had completed work on OAuth support for Office 365 tenancies using both POP and IMAP e-mail protocols, but the rollout status wasn't described. A few new details in that respect were added in Microsoft's Friday announcement:

We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities. We will publish more details on these as we make progress.

Basic Authentication is a simple name-plus-password user authentication approach that's based on older protocols. It's subject to "password spray" attacks, though, in which weak and commonly used passwords are tried across an organization by attackers to gain a foothold. Basic Authentication also doesn't support multifactor authentication, a secondary means of verifying user identities, which Microsoft recommends for organizations.