End of life for basic authentication in Office 365 (Microsoft 365)

[Update]: The article was originally published on September 24, 2020, when basic authentication’s end of life was still in planning phase.

Due to the Covid-19 pandemic, there was a huge change of plans concerning disabling basic authentication in Microsoft 365 (for connections to Exchange Online). After multiple changes in the timeline, basic authentication almost reached its end of life. Continue reading this article to learn more about basic authentication in Microsoft 365, where you can still find it, how to block it on your own and when exactly it will be disabled.

Disable basic authentication office 365

Timeline for disabling basic authentication in Office 365

Blocking basic authentication was a true reschedule fest.

Initially, basic authentication’s demise was scheduled for October 2020. In April 2020, the date was postponed. There was more than one reason for the delay. One of the reasons was Covid-19 and its impact on businesses. Another important factor was that many organizations still actively used basic authentication in their tenants. Later, on the Exchange Team Blog in February 2021, Microsoft rescheduled basic authentication’s end of life once again.

The most important dates connected to disabling basic authentication are as follows.

  • October 22, 2019 – Security Defaults are now turned on by default for all new users. Security Defaults block all legacy authentication protocols.
  • October 13, 2020 – the initial date for disabling basic authentication in Exchange Online for all tenants. (Postponed)
  • October 2020 – basic auth will be disabled for tenants which do not effectively use it.
  • Second half of 2021 – that’s when basic authentication will be disabled for all tenants. A more precise date is yet to be announced. (Postponed)
  • February 2021 – Microsoft announces that basic authentication will not be blocked for now for any protocols that a tenant is using. However, basic auth will be blocked for the unused protocols, with a warning issued 30 days beforehand in the Microsoft 365 Message Center in your tenant.
  • October 2022 – the complete shutdown of basic authentication for connections to Exchange Online, announced in September 2021. That should be more than enough to tie up all the loose ends.

While October 2022 was the official end of life for basic authentication, it turned out that there are still some places where it looms over Microsoft 365 tenants. Namely, remote PowerShell sessions (RPS protocol) require basic authentication in WinRM to successfully connect to Exchange Online. So, in short, RPS deprecation is closely connected to the final basic authentication’s end of life:

  • April 1, 2023 – New tenants have RPS blocked by default. You can re-enable it before June 15, 2023 using a dedicated diagnostic tool.
  • May 2023 – RPS is blocked for the tenants which didn’t register its use and didn’t opt out of the change.
  • June 15, 2023 –RPS is blocked even if your organization used it. If the tenant was created after April 1, 2023, you can no longer use the diagnostic tool to prolong RPS’s life.
  • July 1, 2023 – All new tenants have RPS blocked whether they want it or not.
  • October 2023 – RPS is blocked for every tenant. That’s the final end of life for RPS.

Learn more about RPS and the newer, better methods of connecting to Exchange Online via PowerShell

After multiple changes in the timeline, basic authentication reached its end of life (more or less). The change is for the best – the end of basic authentication, for example makes password spray attacks ineffective. This forces attackers to use more refined methods to hack into Microsoft 365 accounts. The rescheduling proved that the change was more complex than initially assumed. Let’s dive into the consequences and impact of blocking basic authentication.

Impact on organization and users

Each and every app, program or service that connects to Microsoft 365, needs to authenticate itself. Since basic authentication has been blocked, all applications which use this legacy authentication protocol to access Exchange Online stopped working. You definitely need to take some action if anyone in your company still uses:

  • Outlook 2010 and older – with basic authentication disabled, those email clients are unable to connect to Microsoft 365.
  • Outlook 2013 – enabling OAuth in Outlook 2013 requires some changes to be made in the registry.
  • Outlook 2011 for Mac – just as in the case of Outlook 2010, it does not support modern authentication.
  • Remote PowerShell – you will need to use the modern Exchange Online module V3 (learn how to connect remotely to your tenant using this module). If you have any unattended scripts in which you use basic authentication to establish a connection to Exchange Online, they will stop working when Remote PowerShell (RPS) is blocked.
  • Any third-party app, add-in or mobile email client which doesn’t support modern authentication.

Since basic authentication is more or less disabled, you should have felt its impact already. In some cases, IT departments will need to update or upgrade software on multiple workstations. Or temporarily keep RPS protocol enabled. Learn how to do that

The bottom line is that any Microsoft 365 administrator should have prepared for the changes long ago. If you were never interested in how authentication works, now is the time to take a quick look at some of the key differences between basic and modern authentication.

Basic authentication vs modern authentication

Although the forced switch from basic authentication to more modern security measures might be troublesome, it is a welcome change. Modern authentication, which is based on ADAL (Active Directory Authentication Library) and OAuth 2.0, offers a more secure method of authentication. To put it in simple terms, basic authentication requires each app, service or add-in to pass credentials – login and password – with each request. It means that those applications store users’ or admins’ credentials somewhere in their settings. This opens many possibilities for attackers. What’s more, basic auth doesn’t support scoping or grading permissions, so every app which connects with the basic auth protocol, gains potential access to all data a certain user has access to. In the current day and age, the best security and privacy-related practice is to allow access only to data and resources required for an application to work, nothing more (minimum access policy). The impact would be even greater if a leaked password is used in other places as well and MFA was not successfully implemented.

Modern authentication doesn’t let apps save Microsoft 365 account credentials. For an app/service/client to be authenticated, a user needs to sign in to their account using the standard Microsoft 365 sign-in experience and accept an app’s request to access their account. Access is based on tokens, which have a set lifetime. Tokens give a strictly defined permission scope, which needs to be accepted by the signed in user. Finally, modern authentication enables the use of multi-factor authentication (MFA), which adds yet another security layer to your tenant.

Your organization probably doesn’t use basic authentication anymore. But, to make sure, you can check which applications are used to sign in to your tenant using Microsoft Entra ID (Azure Active Directory).

Checking applications which sign in to Entra ID (Azure AD)

You can check sign-ins to your Microsoft 365 tenant in the Azure portal by going to Microsoft Entra ID > Sign-in logs (or by using this link). The Sign-in logs page allows you to check which applications are used to connect to your Microsoft 365 organization, who connects, where from, and much more:

The Sign-in logs page in the Azure portal.

When you click any record, you will be able to learn more about the sign-in attempt. It includes information about the device used to sign in and authentication details.

How to disable basic authentication in Office 365

Basic authentication is already disabled, whether you like it or not. The part below shows different methods you could have used to block basic authentication in Office 365 (Microsoft 365):

  • Security Defaults – turned on by default for all new tenants. This set of security-related settings disables all legacy authentication methods, including basic auth and app passwords. Enabling security defaults might influence some third-party applications you use with your Microsoft 365 tenant.
  • Client Access Rules – covered in detail in this article. Client Access Rules allow you to create very specific rules to allow basic auth in very specific cases. You can, for example, allow basic auth for a certain AD group or IP range used in your HQ. The catch is that Client Access Rules are to be completely blocked in September 2024.
  • Authentication policies – a tool dedicated to blocking basic auth. You can control those policies using PowerShell (Set-AuthenticationPolicy) or the Microsoft 365 admin center. Since the tool is dedicated to blocking basic authentication, I’ll describe some general principles on how to use it below.

To configure authentication policies, go to the Microsoft 365 admin center > Settings > Org settings > Modern authentication or use this link.

Disable basic authentication Office 365

In this window, you can choose which protocols should be able to use basic authentication to access your tenant. You can, for example, uncheck Exchange Online PowerShell to make it impossible to use this legacy authentication method to start a remote PowerShell Session to Exchange Online. There is a catch, though. It takes 24 hours for the changes made in this panel to kick in. You can force changes, but it requires using PowerShell.

When I run the Get-AuthenticationPolicy cmdlet, I can see that the changes have already been applied:

Get-AuthenticationPolicy Remote PowerShell

Which is ironic, because I’ve used the basic auth method to connect to Exchange Online via PowerShell in the first place.

To force-apply Authentication Policies changes for a single account (in the example below, it will apply them to admin), you can run the following cmdlet:

Set-User -identity admin -StsRefreshTokensValidFrom $([System.DateTime]::UtcNow)

To apply changes to all mailboxes, run the following code:

$Mailboxes= (Get-User).UserPrincipalName
foreach ($mailbox in $Mailboxes) {Set-User -Identity $mailbox -StsRefreshTokensValidFrom $([System.DateTime]::UtcNow)}

After doing so, if you used the basic auth method to start a remote PowerShell session, trying to run any Exchange Online cmdlet should make the login pop-up window to appear:

Credential Request Remote PowerShell

Now, even if you insert correct credentials, the PowerShell console should display the access denied message:

Disable basic authentication Office 365 - remote PowerShell error

Since the logon attempt wasn’t successful, it will not appear on the Sign-in logs page.

If you want to continue using PowerShell to administer your tenant, Exchange Online PowerShell module V3 lets you do that without the need to use the basic authentication-powered RPS protocol.

Basic authentication in Office 365 vs CodeTwo software

Here at CodeTwo, we believe that security should always be a priority. That’s why all our solutions for Microsoft 365 supported modern authentication long before they would have been forced to. So, if you’re using our tools for email signature management, backup or migration purposes, you can rest assured that even with the basic authentication disabled, they will continue to work without issues. Provided you’re up-to-date and not using decade-old versions. And if you don’t know our products, take a look below for a quick overview:

  • CodeTwo Email Signatures 365 – lets you manage email signatures, legal disclaimers and automatic responses in your Microsoft 365 organization. In just a few moments, you can design and deploy rules which add professionally branded email signatures to emails sent from any email client and device.
  • CodeTwo Backup for Office 365 – secures your Microsoft 365 organization by creating a continuous backup of your organization’s emails, documents and other resources. Backed-up data can later be quickly discovered and restored to its original location or the location of your choice.
  • CodeTwo Office 365 Migration – lets you easily and securely migrate data to Microsoft 365 from on-premises Exchange or IMAP servers and between Microsoft 365 tenants. You can simplify your migration process and let the tool handle most of the work.
  • CodeTwo User Photos for Office 365 – a freeware tool which lets you manage user photos in Microsoft 365. It allows you to quickly and easily import and export profile pictures for all users, without the need to use any scripts. Those photos are displayed in Microsoft 365 settings, Outlook, Teams, Outlook on the web, and more.

If you are using CodeTwo Backup for Office 365 or CodeTwo Office 365 Migration, make sure to update it to the latest version. This way, you will get the most secure and reliable experience.

Tools for Exchange Server

5 thoughts on “End of life for basic authentication in Office 365 (Microsoft 365)


  1. Why does your Out of the Office Manager software no longer accepts app passwords for MFA enabled account?

  2. Thanks for great post answering a big dilemma about how Microsoft was managing the gradual block of the Legacy Authentication for Exchange Online.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.