Exchange Online deprecating Basic Authentication

Originally published: September 20, 2019

Please go here to search for your product's lifecycle.

Exchange Online is deprecating Basic Authentication for multiple protocols prior to its removal on October 13, 2020. Basic Authentication relies on sending usernames and passwords -- often stored on or saved to the device -- with every request, increasing risk of attackers capturing users' credentials, particularly if not TLS protected.

Basic Authentication is superseded by Modern Authentication (based on OAuth 2.0). Customers are encouraged to move to apps that support Modern Authentication prior to the Basic Authentication removal in October 2020. After October 2020 apps will not be able to use Basic Authentication when connecting to Exchange Online

This change only affects commercial M365 at this time, not our consumer service Outlook.com users. It impacts Exchange ActiveSync (EAS), IMAP, POP, and Remote PowerShell.

Go here to learn more.

Please note this change does not affect SMTP AUTH, based on the large number of devices and appliances that use SMTP for sending mail. Microsoft will continue supporting Basic Authentication for the time being -- though we are working on ways to further secure SMTP AUTH. This change does not affect Outlook for Windows or Mac if they are already configured to use Modern Auth.