Many of my customers move to the cloud in the last recent years. This means for existing environments a start of a journey away from on-prem system going forward to cloud environments. We all know a journey starts with preperation and needs different steps and is always not a good idea to work on all systems together. But on the other hand, same system still exists in there old way and use sometimes old, unsecure protocols for communication and authentication.
To adress this issues Microsoft announce Septemper 2019 in a blog article “Improving security” the disabling of support for Basic authentication for the protocols like EWS, POP, IMAP and Remote Powershell. After the plan the corona crisis came up and Microsote decided to postpone the disabling of the noted protocols.
In September 2021 Microsoft released new information about this in the article “Basic authentication and Exchange Online” including some updated information. Microsoft will disable basic authentication beginning 1st of October 2022 for all protocols except SMTP auth. This means the following protocols will be disabled:
- Exchange Web Services (EWS)
- Exchange ActiveSync (EAS)
- POP
- IMAP,
- Remote PowerShell
- MAPI
- RPC
- OAB
Contents
Time frame and how you will informed
Starting 1st of October Microsoft wil start to turn-off basic authentication for the above protocols. Microsoft will randomly select the tenants to disable this protocols announced with the latest “Basic authentication Deprecation in Exchange Online – September 2022” update.
Selected Tenants will be informed via the “Message Center” accessible via the Microsoft 365 admin portal. So please keep an eye on the incoming messages in this portal.
Microsoft disabled legacy authentication in recent months for tenants where they did not detect use of these types of protocols based on regular scans and telemtry data collected. You can check if your affected also in the Message Center where you see the following notification
Exception
This important change was announced some time ago by Microsoft and in various articles. But there are many customers who are not aware of this upcoming change. Microsoft remedies this with a one-time free passcode for re-enabling the disabled protocols. After the protocol is disabled, all customers have the option to re-enable the disabled protocol once. After reactivation, protocols will continue to be usable until the end of December 2022. In the first week of 2022, the re-activated protocols will be deactivated again and forever.
Please note: Some articles and posts informed that is possible to opt-out needed Legacy basic authentication protocols to avoid service interruptions to the end of the year. This was only possible in september as of now you have reenable needed protocols after they were disabled außer diese wurden bereits per opt-out verlängert.
Status of new Tenants
When you create a new Microsoft 365 tenant the Security defaults prevent using basic authentication by default. After 1st of october is not possible to enable the Legacy basic authentication for new created tenants, even if the security defaults will be disabled.
Homework
It is really important to check do you affected of this breaking changes. This means to check all tenant that you responsilbe for. There is a easy way to check the tenants if in one of these will actual legacy authentication protocols used. To this logon to the Azure portal go to the Azure AD blade, select “Sign-in Logs” add a new filter and select “Client Apps” and mark all check boxes under the item “Legacy Authentication Clients“
Conclusion
This changes affect all users they acces as an example here Exchange mailbox via Smartphones. The default mail app on a lot of Samsung Galaxy phones out there uses the Legacy authentication protocol to connect to exchange and will no longer work with the start 1st of october.
To be clear Microsoft will permantently disable all noted protocols defintiviely in the first week of january without excemption for all customers. There is no way to extend the use after january of 2023.
And a short reminder SMTP authentication is actual not affected and will be still work after the announced dates, when is actual in use.