For many years, applications have used basic authentication to connect to servers, services, and API endpoints. Devices and applications that use basic authentication normally store account credentials (NHSmail username and password) in the device and sends them to Exchange Online with every request. This increases the risk of credentials being stolen which leads to compromised accounts.
Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA), certificate-based authentication and other methods more secured.
Microsoft and NHSmail are planning to disable basic authentication for Microsoft Exchange Online. The following protocols are in scope of this change:
- Exchange ActiveSync (EAS)
- Exchange Web Services (EWS)
- Post Office Protocol (POP)
- Internet Messaging Access Protocol (IMAP)
- Remote Procedure Call (RPC)
- Remote Power Shell (RPS)
Timelines
The NHSmail team has put in place a strategy to separate out the retirement of these protocols into a new schedule before June 2023 to reduce any potential impact or disruption to organisations and their users. This change has been broken down into two dates as shown below to reduce the impact across organisations and users:
| Protocol | Retirement date |
| EAS & RPC | 27th April 2023 (evening) |
| EWS, POP, IMAP & RPS | 25th May 2023 (evening) |
How might this change affect you
Organisations and NHSmail users with managed or personal mobile and desktop devices could have mail/calendar applications connected with Exchange Online using basic authentication to send and receive emails which are likely to be impacted by this change.
Organisations’ in-house and third-party backend applications that are currently integrated with Exchange Online using RPS, POP or IMAP are also likely to be impacted by this change.
When these protocols are disabled, any mobile application or desktop client using basic authentication will not be able to connect to Exchange Online to send and receive email messages.
We strongly advise organisations and users to proactively take action and follow the guidance in this article to avoid any potential disruption.
The below table provides an overview of the impact and point out to the guidance that organisations and users can follow to update their mobile applications and desktop clients.
| Protocol | User Impact | Guidance |
| EAS, EWS, POP & IMAP | Users with personal mobile and desktop devices using mail/calendar applications | User Guidance |
| Organisations with managed desktops using Microsoft Office Outlook clients | Admin Guidance | |
| RPC | Organisations with managed desktops using Microsoft Office Outlook 2010 or later. | Admin Guidance |
| POP, IMAP & RPS | Organisations using in-house or third-party backend applications | Admin Guidance |
IMPORTANT NOTE: When basic authentication is disabled, mobile applications and desktop clients using basic authentication will stop connecting with Exchange Online to send and receive email messages.
Users can still access their NHSmail mailbox via Outlook Web Access. To do so, go to the NHSmail Portal, click on Email in the top menu and authenticate using the NHSmail username and password.
What you need to do to prepare
Users with personal mobile and desktop devices using mail/calendar applications:
This section provides information to those users with personal mobile and desktop mail and calendar applications integrated with Exchange Online using basic authentication with any of the below protocols:
- Exchange ActiveSync (EAS)
- Exchange Web Services (EWS)
- Post Office Protocol (POP)
- Internet Messaging Access Protocol (IMAP)
A series of communications will be sent out to organisations and users appearing in our reporting to raise awareness and guide them through the process. Users and Local Administrators can follow the step-by-step user guide to update mail/calendar applications to use modern authentication and prevent any impact when changed is completed.
Organisations with managed desktops using Microsoft Office Outlook clients:
This section provides information to Local Administrators of organisations with identified users using managed desktops with Office 2010 or later for Windows, or Office 2011 or later for Mac, and connecting to Exchange Online using basic authentication with any of the below protocols:
- Exchange ActiveSync (EAS)
- Exchange Web Services (EWS)
- Post Office Protocol (POP)
- Internet Messaging Access Protocol (IMAP)
A series of communications will be sent out to organisations appearing in our reporting to raise awareness and guide them through the process. Local Administrators can follow the admin guidance to update Office Outlook clients to use modern authentication.
Organisations with managed desktops using Microsoft Office Outlook 2010 or later:
This section provides information to Local Administrators of organisations with identified users using managed desktops with Office 2010 or later clients and connecting to Exchange Online using basic authentication with the below protocol:
- Remote Procedure Call (RPC)
A communication will be sent out to organisations appearing in our reporting to raise awareness and guide them through the process. Local Administrators can follow the admin guidance to update Office Outlook clients to use IMAP over HTTP instead.
Organisations using in-house or third-party backend applications:
This section provides information to Local Administrators of organisations with in-house software or third-party backend applications that are integrated with Exchange Online using basic authentication with the below protocols:
- Post Office Protocol (POP)
- Internet Messaging Access Protocol (IMAP)
- Remote Power Shell (RPS)
All applications must be registered with Azure Active Directory and a Secret will need to be used to authenticate the connection using modern authentication.Local Administrators can follow the admin guidance to submit a request to register an application.
| Last Reviewed Date | 29/03/2023 |
