Basic Authentication for Microsoft Exchange will cease from 21 October 2022

Basic Authentication for Microsoft Exchange is unfortunately no longer possible as of 21 October 2022.

Why is Microsoft going to abolish this? Because basic authentication is not ' safe ' anymore and there are now enough alternatives to make it more secure.

If you are using basic authentication today, then you have most likely already been hacked. Basic authentication makes it easier for attackers to capture accounts because they don't have to go through complex authentication. Simply explained.

Basic Authentication cannot handle new methods like OAuth. OAuth is a way of logging in that allows you to use Multi-Factor which Basic-Authentication cannot. And I believe that without MFA there is definitely no future because passwords alone are a thing of the past.

Microsoft is a forerunner when it comes to security. Organisations have taken plenty of time to roll out MFA and now the old legacy authentication is going too.

Microsoft has decided by COVID-19 to move 13 October 2020 to 21 October 2022.

What is basic authentication?

Basic authentication is logging in to a service with a user name and a password.
For example, logging into your Microsoft Outlook as shown in this image.

Basic authentication pop-up Microsoft Outlook

What is modern authentication?

Modern Authentication is a smarter way to log on. Because it gives a better pop-up where you can enter your username and password . More importantly, it additional factors can be used and it is still user-friendly.

What is the impact of disabling basic authentication?

These 'protocols' will no longer be addressable through basic authentication EWS, EAS, IMAP, POP and RPS
Your old Android phone will no longer work with the built-in application.
Old mail clients, Outlook 2007, 2010 (first versions) can no longer connect to Exchange Online .
Printers, copiers, multi-functionals, applications that still relay via basic authentication will stop working unless they can handle OAuth 2.0. (often they don't)

How can you measure whether you are still using Basic Authentication?

Login to your Azure Control panel via https://Azure.microsoft.com
Click on users, sign-ins.

Click on Add Filters
Select Client App

Select all except 'Mobile Apps and Desktop Clients
Or filter out fewer when you know they are no longer needed.
Browser can be left out too.

Now you see a list of applications that log in via Basic-Authentication

Why should you block it?

This is what each environment looks like... (see date, and the minutes...)
Every other minute there are attempts on your Office 365 environment. But of course also on your on-premises environment, or other application. Office 365 and Exchange Online are the most used platforms in the world.
Be sure to do a risk assessment via this blog

What is the best way to react?

Microsoft needs to keep organisations safe. This is not possible with basic authentication. Exchange Online is the most widely used platform and has the worst security standards in terms of authentication.
You can certainly write off this change and think: "Let's keep our Exchange on-premises". But be sure to ask yourself: "Canyou view intelligent logging like the one above?" So do you want to stick with your own infrastructure?
Cloud is the future , and we should be glad that Microsoft wants to make these security improvements for us to an industry standard.
Phishing is the most common method of attack by hackers...
Contact vendors and ask them to update your application so that it can authenticate with OAuth 2.0.