Office 365: Basic Authentication Retirement for Legacy Protocols in Exchange Online

Reading Time: 3 minutes


You Microsoft recently announced their plans to retire Basic Authentication for several legacy protocols used to access Exchange Online. If you’ve stumbled across this post researching the news, you’re likely wondering what exactly this means to you and your organization.

Below is the breakdown of affected protocols:

  • Exchange Web Services (EWS)
  • Exchange ActiveSync (EAS)
  • IMAP4
  • POP3
  • Remote Powershell (RPS)

The deprecation of these protocols will occur on October 13, 2020. If this widespread change is like any past ones made in Office 365, you can expect a slow roll-out to tenants starting on this date. Meaning, it likely will not be an immediate kill switch, but you should be prepared by this date.

The Future of Mobile Client Authentication

What exactly will this change affect? The primary user-facing change will be seen with mobile clients. Microsoft licenses the use of ActiveSync (EAS) to many mobile device vendors, in order to enable connectivity from their built-in mail clients to Exchange, such as the Mail app in iOS. The burden will be on mobile device OS vendors to upgrade their clients to support modern authentication. In the case of Apple and iOS, starting with iOS 11, modern authentication is supported.

First, survey the devices and OS versions in use in your environment to ensure that only up-to-date operating systems are in use. To take it one step further and eliminate the dependency on OS vendors, enforce the use of the Outlook mobile app across your organization. Not only will this guarantee the continued flow of email at the time of cut off, but it also will ensure the use of a fantastic app that Microsoft is continuously improving.

Time to Move Away from IMAP4 and POP3

While Microsoft plans to update POP3 and IMAP4 connections to support modern authentication, I recommend moving away from them completely. You should identify critical applications that require these protocols and find out what options you have to move away from them. For those using email clients that rely on them for sending messages, now is the time to take these options out of their hands.

The SMTP protocol will not change, so this may be one option for you.

Identifying the Weak Links

Depending on your environment, this change may seem like its laid a daunting task on your lap. What is the best way to get the full picture? You might not know about that executive who is still using Thunderbird as their primary email client. Luckily, Microsoft will release a tool to help identify what is using basic auth to connect to mailboxes. Microsoft has not announced its release date yet, but it should be available well before the 10/13/20 deadline.

Let Sikich Help!

If you need help with transitioning your clients or have not yet made the jump to Office 365, please reach out and let Sikich help guide you through the process!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.


Join 14,000+ business executives and decision makers

Upcoming Events

Upcoming Events

Latest Insights

About The Author