Microsoft warned customers today that it will finally disable basic authentication in random tenants worldwide to improve Exchange Online security starting October 1, 2022.
“Since our first announcement nearly three years ago, we’ve seen millions of users move away from basic auth, and we’ve disabled it in millions of tenants to proactively protect them. We’re not done yet though, and unfortunately usage isn’t yet at zero. Despite that, we will start to turn off basic auth for several protocols for tenants not previously disabled,” the Exchange Team said today.
“Starting October 1st, we will start to randomly select tenants and disable basic authentication access for MAPI, RPC, Offline Address Book, Exchange Web Services, POP, IMAP, Exchange ActiveSync, and Remote PowerShell.”
The protocols “Will be disabled for basic auth use permanently” during the first week of January 2023, with no way of using basic auth again.
Until now, Microsoft says it has already disabled basic auth in millions of tenants that weren’t using it and is also toggling off unused protocols within tenants still using it to protect them from attacks exploiting this insecure auth scheme.
You can find more info on preparing for October’s forced basic authentication deprecation and the best way to disable basic auth beforehand in the blog post The Exchange Team published today.