Basic Authentication Extended to 2H 2021 for Exchange Online Users

Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

The end date for Basic Authentication on Exchange Online previously was Oct. 13, 2020, but Microsoft is now pushing it out due to uncertainties surrounding the "COVID-19 crisis." A more precise end-of-support date will be announced later, the announcement added.

The extension is just for organizations currently using Basic Authentication with Exchange Online. New Exchange Online tenancies will still get Basic Authentication disabled by default. Microsoft also will disable Basic Authentication if it detects that Basic Authentication isn't being used.

Organizations using Exchange Server on-premises or in "hybrid" scenarios aren't subject to Microsoft's end-of-support change.

Organizations dealing with the end of Basic Authentication likely will experience some pains in upgrading systems. The change affects their use of Remote PowerShell. They'll also have to check which Outlook clients are used with the Exchange Online service. Outlook 2016 and Outlook for Mac 2016 and newer clients don't use Basic Authentication, but older Outlook clients may be using it.

Microsoft specifically wants to end Basic Authentication support when it's used with protocols such as Exchange ActiveSync, Post Office Protocol (POP) and Internet Message Access Protocol (IMAP).

Microsoft instead wants Exchange Online users to switch to so-called "modern authentication," which is based on OAuth 2.0 tokens and the Active Directory Authentication Library.

Microsoft did indicate back in February of last year that it had completed work on OAuth support for Office 365 tenancies using both POP and IMAP e-mail protocols, but the rollout status wasn't described. A few new details in that respect were added in Microsoft's Friday announcement:

We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities. We will publish more details on these as we make progress.

Basic Authentication is a simple name-plus-password user authentication approach that's based on older protocols. It's subject to "password spray" attacks, though, in which weak and commonly used passwords are tried across an organization by attackers to gain a foothold. Basic Authentication also doesn't support multifactor authentication, a secondary means of verifying user identities, which Microsoft recommends for organizations.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus