Exchange Online deprecating Basic Authentication

Applies to: Exchange Online

Back to the Microsoft Lifecycle Policy home page

Published: September 20, 2019

Exchange Online is deprecating Basic Authentication for multiple protocols prior to its removal on October 13, 2020. Basic Authentication relies on sending usernames and passwords – often stored on or saved to the device – with every request, increasing risk of attackers capturing users’ credentials, particularly if not TLS protected.

Basic Authentication is superseded by Modern Authentication (based on OAuth 2.0). Customers are encouraged to move to apps that support Modern Authentication prior to the Basic Authentication removal in October 2020. After October 2020 apps will not be able to use Basic Authentication when connecting to Exchange Online

This change only affects commercial M365 at this time, not our consumer service Outlook.com users. It impacts Exchange ActiveSync (EAS), IMAP, POP, and Remote PowerShell.

Go here to learn more.

Please note this change does not affect SMTP AUTH, based on the large number of devices and appliances that use SMTP for sending mail. Microsoft will continue supporting Basic Authentication for the time being – though we are working on ways to further secure SMTP AUTH. This change does not affect Outlook for Windows or Mac if they are already configured to use Modern Auth.

 

The information on this page is subject to the Microsoft Policy Disclaimer and Change Notice. Return to this site periodically to review any such changes.