Basic Authentication Deprecation in Exchange Online – What’s Next

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Last month we turned off Basic auth in Exchange Online for many customers. We’ve protected millions of users from the risks associated with using this legacy form of authentication to access their data.

We want to thank you, too, for all the hard work you’ve done to prepare your tenant and users for this change, and for your part in helping secure our service and your data.

What’s Next

With the protocols most at risk on their way to being secured, we are now turning our attention to one important Exchange protocol that remains untouched by this effort – Autodiscover. The Autodiscover service which is used by Outlook, Exchange ActiveSync, and other Exchange Web Services clients and custom code for service location discovery.

Once Basic auth for Outlook, Exchange ActiveSync and Exchange Web Services has been permanently disabled in your tenant, there’s really no reason to keep Autodiscover enabled for Basic auth. So, we’re turning off Autodiscover next. You can of course do this yourself today, using an Authentication Policy (and we recommend you do).

Remember, as with all the other protocols, we’re not turning off the protocol itself, only the ability to authenticate over the protocol using nothing more than a username and password.

Timing

We’re starting right away with the tenants with no Basic auth usage at all in 2022, and then in early 2023 (as Basic auth for related protocols is permanently disabled), we will move on to everybody else. If you re-enabled Basic auth in your tenant, or took the option to request more time, we’ll turn off Basic auth for Autodiscover after that extension expires. It’s going to take a few weeks to roll this change out. No tenant will be excluded.

We’re not going to update the self-service diagnostic to allow you to re-enable Autodiscover, which is why we will not disable Autodiscover for any tenant with usage this year. On December 31, 2022, the self-service diagnostic will go away, and after that it won’t be possible to re-enable anything.

With this last step in the process, we will be helping further secure our customers’ accounts and data. Thank you for your help and understanding throughout this process.

The Exchange Team

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.