Microsoft retires Basic Authentication in Exchange Online

As more sophisticated cyber criminals take aim at hybrid and remote workers, Microsoft is working to raise awareness among Exchange Online customers that one of the most important security steps they can take is to move away from outdated, less secure protocols, like Basic Authentication. As previously announced, we are turning off Basic Authentication in Exchange Online for all tenants starting October 1, 2022.¹

Since we announced our intent to deprecate Basic Authentication in 2019, we have helped millions of Exchange Online users move to Modern Authentication. We have also worked with partners to help our mutual customers turn off Basic Authentication and implement Modern Authentication.

Securing email has never been more critical. Email remains essential for sales, productivity, and confidential communication in business, and using Basic Authentication puts companies at greater risk of data breaches and email disruption. There are 921 password attacks every second, almost doubling the frequency of attacks from 2021. In addition, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 business email compromise (BEC) and email account compromise (EAC) complaints with adjusted losses at nearly USD2.4 billion.²  

Moving your Exchange Online organization from Basic Authentication to the more secure OAuth 2.0 token-based authentication (or Modern Authentication) enables stronger protection and the ability to use features like multifactor authentication (MFA). This is particularly beneficial for small and medium-sized businesses that don’t have dedicated security staff.

Our own research found that more than 99 percent of password spray attacks leverage the presence of Basic Authentication. The same study found that over 97 percent of credential-stuffing attacks also use legacy authentication. Customers that have disabled Basic Authentication have experienced 67 percent fewer compromises than those who still use it.

Improve security and avoid disruption

The reality is that updating your apps and configuration to use Modern Authentication makes your business more secure against many threats. Many mobile devices still use Basic Authentication, so making sure your device is using the latest software or operating system update is one of the ways to switch it to use Modern Authentication. You can also use an app, such as Outlook mobile, that only uses Modern Authentication and works on both iOS and Android devices.

Your tenant admin should check the Microsoft 365 Message Center often, as usage data is sent regularly to all tenants still using Basic Authentication. The messages contain links to useful Microsoft Docs, such as Deprecation of Basic Authentication in Exchange Online, which explain how to identify and remediate Basic Authentication usage. We recommend our customers turn off Basic Authentication and implement Modern Authentication now.

Read the latest updates from the Exchange Online team.

---

¹Deprecation of Basic authentication in Exchange Online, Microsoft Learn. October 3, 2022.

²Internet Crime Report 2021, Internet Crime Complaint Center, Federal Bureau of Investigation. 2021.