https://www.sikich.com

Office 365: Basic Authentication Retirement for Legacy Protocols in Exchange Online

Jerad Cook

Mar 12 2020

3 min read

Microsoft recently announced their plans to retire Basic Authentication for several legacy protocols used to access Exchange Online. If you’ve stumbled across this post researching the news, you’re likely wondering what exactly this means to you and your organization.

Below is the breakdown of affected protocols:

Exchange Web Services (EWS)
Exchange ActiveSync (EAS)
IMAP4
POP3
Remote Powershell (RPS)

The deprecation of these protocols will occur on October 13, 2020. If this widespread change is like any past ones made in Office 365, you can expect a slow roll-out to tenants starting on this date. Meaning, it likely will not be an immediate kill switch, but you should be prepared by this date.

The Future of Mobile Client Authentication

What exactly will this change affect? Mobile clients will experience the most user-facing changes. Microsoft licenses the use of ActiveSync (EAS) to many mobile device vendors, in order to enable connectivity from their built-in mail clients to Exchange, such as the Mail app in iOS. The burden will be on mobile device OS vendors to upgrade their clients to support modern authentication. In the case of Apple and iOS, starting with iOS 11, modern authentication is supported.

To prepare for this change, you should survey the devices and OS versions used in your environment to ensure that only up-to-date operating systems are in use. To take it one step further and eliminate the dependency on OS vendors, enforce the Outlook mobile app across your organization. Not only will this guarantee the continued flow of email at the time of cut off, but it also will ensure the use of a fantastic app that Microsoft is continuously improving.

Time to Move Away from IMAP4 and POP3

While Microsoft plans to update POP3 and IMAP4 connections to support modern authentication, I recommend moving away from them completely. You should identify critical applications that require these protocols and find out how you can move away from them. The SMTP protocol is not being changed; this may be a potential work around.

For end users using third-party email clients that rely on these protocols, it time to take these options out of their hands and enforce using Outlook or OWA.

Identifying the Weak Links

Depending upon your environment, this change may seem like its laid a daunting task on your lap. What is the best way to get the full picture? You might not know about that executive who is still using Thunderbird as their primary email client. Luckily, Microsoft will release a tool to help identify what is using basic auth to connect to mailboxes. Microsoft has not announced its release date yet, but it should be available well before the 10/13/20 deadline.

Let Sikich Help!

If you need help with transitioning your clients or have not yet made the jump to Office 365, please reach out and let Sikich help guide you through the process!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Jerad Cook

Jerad Cook is a Senior Network Consultant at Sikich, assisting clients in achieving their business objectives through technology and trusted advice. He holds a Bachelor’s degree in Computer Information Systems from Kent State University, as well as several Microsoft certifications that give him a Microsoft Certified Solutions Expert (MCSE) status. His primary area of focus revolves around Microsoft’s Cloud services, which he has ten years of experience with. This includes working with both Azure and Office 365 environments in order to drive clients toward full cloud enablement.