Microsoft will be disabling basic authentication in Exchange Online worldwide from 1st Oct 2022 after postponing once already.

Microsoft announced in February 2021 their intention to turn off basic authentication in Exchange Online (EXO) for tenants not actively using it. In September 2021 they announced they would delay this until October 2022.

Basic authentication makes using multi-factor authentication inneffective and generally just makes the whole experience of using EXO more cumbersome for users and administrators - particularly when using modern email clients like Outlook 2016/2019/365.

Outlook 2013 or later supports modern authentication, and support ended for Office 2010 (and Outlook 2010) on 13th October 2020, so organisations should have already moved away from it. If your organisation hasn’t already done so you will need to have done by 1st October 2022 or you run the risk of Outlook 2010 or earlier ceasing to work shortly thereafter. You may also find users that use modern client face difficulties if they currently use POP/IMAP, for example.

You should check for basic/legacy authentication before enforcing modern authentication. If you use Azure AD free rather than P1 or P2 then you may only see the previous 7 days.

Open the Azure Portal,

1. Azure Active Directory > Sign-in logs;

2. Select the date range last 1 month.

3. Add filter by field Client App.

4. Select all Legacy Authentication Clients as the filter.

At this point you should hopefully see “No sign-ins found” in which case you should be good to go to enforce modern auth.

Assuming you are not using Condition Access already the best way to quickly do this and also turn on multi-factor is to enable Security Defaults

• Require all users to register for multi-factor authentication (within 14 days)

• Require administrators to do multi-factor authentication at every sign-in.

• Require users to do multi-factor authentication when necessary.

• Block legacy authentication protocols.

• Protect privileged activities like access to the Azure portal.

Turn on security defaults: Azure Active Directory > Properties > Manage security defaults > Enable security defaults. Select the Yes and click Save.

Conditional access policies are a better option longer term, give better granularity and overall offer the most secure option for the tenancy but this is a good starting point. Security defaults will need to be disabled before Conditional Access policies are used.

Organisations need to keep on top of their softwares end of support dates and even within the supported period, older versions may not offer what is required for the modern internet. Keeping a software asset inventory is absolutely essential.

We keep a list of the upcoming end of support dates for common Microsoft products in a blog post which is linked below. The complete list can be found on the Product and Services Lifecycle Information page on the Microsoft website.

As always if you need any assistance please contact us.