D-Day has arrived. No, I am not talking about some combat situation but rather Microsoft’s Basic Auth for the Exchange Online customers who are officially switching off now. It will cease to exist on Remote PowerShell protocols, RPC, MAPI, Exchange Web Services (EWS), IMAP, POP, and Offline Address Book (OAB) but not SMTP Auth.
But hey, it’s not like Microsoft’s leaving you at large. Instead, you will get a next-gen authentication feature dubbed OAuth 2.0. Here’s the entire story to follow.
Microsoft is switching off Basic Auth for Exchange Online customers today
Microsoft has been warning its Exchange Online customers for ages now about the switching off of Basic Auth, which is less secure at this point. With that being said, the tenants using Basic Auth will steadily see deprecation for the protocol and instead, will get their hands on a secure OAuth 2.0.
Apparently, Microsoft will not simply take away Basic Auth or it will vanish off thin air but instead, it will switch off the feature from tenant to tenant and on a random basis. As Neowin points out, the Redmond giant hasn’t opted for a hard deadline but rather October 1st was the day when it kick-started switching off the feature that will take some time to go down officially.
As per the timeline, Basic Auth will continue to work through December this year when Microsoft will finally nail the last bullet in the first week of January 2023.
Unless you switch to OAuth 2.0 now, switching to it once the Basic Auth has vanished abruptly (not particularly though) might create some degree of suction.
The move to OAuth 2.0 was made because it is more secure. A Basic Auth requires a username and password to make client access requests which makes it a prime target for brute force or spray attacks.
With OAuth 2.0, Exchange Online customers will be able to add extra layers of security making it harder for attackers to penetrate the system.
Just to make the timeline crystal clear, Basic Auth will officially go down by the first week of January 2023 affecting many if not all clients. It’s high time to make a move to OAuth 2.0 before it is too late.