Office 365: Basic Authentication Retirement for Legacy Protocols in Exchange Online

Microsoft recently announced their plans to retire Basic Authentication for several legacy protocols used to access Exchange Online. If you’ve stumbled across this post researching the news, you’re likely wondering what exactly this means to you and your organization.

Below is the breakdown of affected protocols:

  • Exchange Web Services (EWS)
  • Exchange ActiveSync (EAS)
  • IMAP4
  • POP3
  • Remote Powershell (RPS)

The deprecation of these protocols will occur on October 13, 2020. If this widespread change is like any past ones made in Office 365, you can expect a slow roll-out to tenants starting on this date. Meaning, it likely will not be an immediate kill switch, but you should be prepared by this date.

The Future of Mobile Client Authentication

What exactly will this change affect? Mobile clients will experience the most user-facing changes. Microsoft licenses the use of ActiveSync (EAS) to many mobile device vendors, in order to enable connectivity from their built-in mail clients to Exchange, such as the Mail app in iOS. The burden will be on mobile device OS vendors to upgrade their clients to support modern authentication. In the case of Apple and iOS, starting with iOS 11, modern authentication is supported.

To prepare for this change, you should survey the devices and OS versions used in your environment to ensure that only up-to-date operating systems are in use. To take it one step further and eliminate the dependency on OS vendors, enforce the Outlook mobile app across your organization. Not only will this guarantee the continued flow of email at the time of cut off, but it also will ensure the use of a fantastic app that Microsoft is continuously improving.

Time to Move Away from IMAP4 and POP3

While Microsoft plans to update POP3 and IMAP4 connections to support modern authentication, I recommend moving away from them completely. You should identify critical applications that require these protocols and find out how you can move away from them. The SMTP protocol is not being changed; this may be a potential work around.

For end users using third-party email clients that rely on these protocols, it time to take these options out of their hands and enforce using Outlook or OWA.

Identifying the Weak Links

Depending upon your environment, this change may seem like its laid a daunting task on your lap. What is the best way to get the full picture? You might not know about that executive who is still using Thunderbird as their primary email client. Luckily, Microsoft will release a tool to help identify what is using basic auth to connect to mailboxes. Microsoft has not announced its release date yet, but it should be available well before the 10/13/20 deadline.

Let Sikich Help!

If you need help with transitioning your clients or have not yet made the jump to Office 365, please reach out and let Sikich help guide you through the process!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author