Note: In response to the COVID-19 crisis, Microsoft has postponed disabling of Basic Authentication in Exchange Online until the second half of 2021.

In July 2018, Microsoft announced they will be turning off Basic Authentication for Exchange Web Services on October 13th, 2020. Additionally, last September it was announced that Basic Authentication for Exchange ActiveSync (EAS), POP, IMAP, and Remote PowerShell would also be turned off on the same day. This means that all new or existing apps will no longer be able to use Basic Authentication when connecting to Exchange Online. This change does not impact SMTP AUTH or on-premises versions of Exchange Server.

We’ve outlined three critical facts to help you determine what, if any, action to take before Basic Authentication for Exchange Online is turned off.


What is Basic Authentication for Exchange Online?

Basic Authentication means that the client application passes the username and password with every request. Although simple to setup and use, Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials and increases the chance of credential re-use against other endpoints or services.


Why is Basic Authentication for Exchange Online being turned off?

With Basic Authentication enabled, it is easy to compromise accounts through brute force attacks or password spray attacks. Since Multi-Factor Authentication (MFA) is not supported by Basic Authentication, if your password gets stolen, your entire account can be stolen too. In fact, your account is more than 99.9% less likely to be compromised if you use Multi-Factor Authentication (MFA).


How do I prepare for the transition to Modern Authentication?

Modern Authentication in Microsoft 365 is based upon OAuth 2.0 for authentication and authorization. It enables enhanced authentication to users, including MFA and Conditional Access. These make it a more secure method to access data than Basic Authentication.

Start preparing to transition to Modern Authentication by using the Exchange Online PowerShell Module that supports Modern Authentication. You should also consider adopting the Outlook Mobile App from Exchange ActiveSync.

It is also vital to identify which applications within your organization still use IMAP and POP. These apps may need to be updated for compatibility with Modern Authentication. If you fail to update the app before switching to Modern Authentication it may stop working entirely.


While the end of support for Basic Authentication may cause some inconvenience, it will ensure a more secure, reliable, and productive experience for all Microsoft customers. By preparing to transition to Modern Authentication as soon as possible, you are giving your organization an advantage in protecting your data and users from costly security attacks.

At Apex Digital Solutions, we are aware of the impact that this could have on your business and we specialize in solutions to secure your organization while keeping your users productive. Our Ignite for Identity and Threat Protection service offering protects organizations from data breaches by enabling MFA and Advanced Threat Protection. Contact us at today to and discuss how Apex Digital Solutions can help prevent malicious attacks in your organization.


Ignite for Identity and Threat Protection

Get a quick, cost-effective way to protect your organization from the latest e-mail security threats, keep accounts safe-guarded, and avoid a costly embarrassing breach.

Let’s get started today!