Basic Authentication and Exchange Online – February 2021 Update
In response to the unprecedented situation we are in and knowing that priorities have changed for many of our customers we are suspending until further notice the disabling of Basic Authentication for any protocols that your tenant is using. This was previously communicated in Exchange Online (MC204828 and MC208814). When we resume this program, we will provide a minimum of twelve months’ notice before we block the use of Basic Auth on any protocol being used.
We will continue with our plan to disable Basic Auth for protocols that your tenant is not using. Many customers don’t know that unneeded legacy protocols remain enabled in their tenant. We plan to disable these unused protocols to prevent potential mis-use. We will do this based on examining recorded usage of these protocols by your tenant, and we will send Message Center posts providing 30 days’ notice of any changes to your tenant. This work will begin in a few months.
The last change to the previously announced plan is that we are adding MAPI, RPC, and Offline Address Book (OAB) to the protocols included in this effort to further enhance data protection.
How this impacts your organization:
- How Will I Know When My Tenant Is Affected?
- We will publish a major change Message Center post to your tenant 30 days prior to us disabling Basic Auth for any protocols in your tenant. Major changes also trigger email notifications. We will also publish a (non-major change) Message Center post when we have made the actual change.
- What If My Tenant is Using One of These Protocols?
- If your tenant is using any of these protocols, we won’t disable them. Should you find a Message Center post to the contrary, please let us know (details on how to let us know will be in the Message Center post) and we’ll exclude you from the change. You’ll be able to do this right up until we disable these protocols for good (at a future date).
- What Happens If I Missed the Message Center Post and Need These Protocols Re-Enabled?
- We are building the capability to allow you to re-enable the protocols yourself via Support Central in the Microsoft 365 admin center. If you find yourself in this situation, you’ll be able to request help in the Microsoft 365 admin center, and we’ll allow you to re-enable these protocols until we disable them in the future.
- How Does This Change Affect Authentication Policies?
- The switch we use to disable Basic Auth for unused protocols is not available to tenant admins (with the exception of the switch for SMTP Auth). You won’t see any changes or additions to your existing authentication policies (if you have any) and our change will take precedence over any policies you might have. We understand this might be a bit confusing, so we wanted to note it here.
- Does this Change Affect Outlook?
- Outlook depends upon Exchange Web Services (EWS). Therefore, Outlook must be updated to use Modern Auth before Basic Auth for EWS is disabled. Outlook uses only one type of authentication for all connections to a mailbox, so including these protocols should not adversely affect you. If EWS has Basic Auth disabled, Outlook won’t use Basic Auth for any of the other protocols or endpoints it needs to access.
We hope this change is good news for those of you who needed more time to complete a transition from Basic Auth.
Please click Additional Information to learn more.
Message ID: MC237741