Microsoft released a blog in May reminding customers they would be turning off “Basic Auth for specific protocols in Exchange Online.” There has been an increasing number of attacks using Basic Auth to compromise Microsoft customers which lead to the process of disabling it and moving clients to Modern Auth. Protocols that can use Basic Auth include MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.

The switch to Modern Auth will mean that MFA is supported which is now a requirement for FCEB agencies according to the Executive Order 14028. CISA goes further in their recent release to say, “After completing the migration to Modern Auth, agencies should block Basic Auth. Basic Auth is most likely used by legacy applications or custom-built business applications.” CISA also recommends creating a plan for moving applications to Modern Auth outlined by Microsoft.

Microsoft will begin to turn off Basic Auth starting on October 1st, 2022. Tenants will be randomly selected and will receive a 7-day warning. They expect the process to completed by the end of 2022 for all tenants.