For many years, applications have used basic authentication to connect to servers, services, and API endpoints. Devices and applications that use basic authentication normally store account credentials (NHSmail username and password) in the device and sends them to Exchange Online with every request. This increases the risk of credentials being stolen which leads to compromised accounts.
Modern authentication in Exchange Online enables authentication features like Multi-Factor Authentication (MFA), certificate-based authentication and other methods more secured.
Microsoft is planning to disable basic authentication for Microsoft Exchange Online. The following protocol is in scope of this change:
- Simple Mail Transfer Protocol (SMTP)
Timelines
Please see below the change dates for retirement:
| Protocol | Retirement date |
| EAS & RPC | 27th April 2023 (evening) – Completed |
| EWS, POP, IMAP & RPS | 25th May 2023 (evening) – Completed |
| SMTP | September 2025 |
How might this change affect you
Organisations and NHSmail users with managed or personal mobile and desktop devices could have mail/calendar applications connected with Exchange Online using basic authentication to send and receive emails which are likely to be impacted by this change.
Organisations’ in-house and third-party backend applications that are currently integrated with Exchange Online using RPS, POP ,IMAP or SMTP are also likely to be impacted by this change.
When these protocols are disabled, any mobile application or desktop client using basic authentication will not be able to connect to Exchange Online to send and receive email messages.
After SMTP is deprecated for Exchange Online in September 2025, clients, devices and applications used by your organisation set up using SMTP Basic Authentication into Exchange Online will be impacted and must be updated to OAuth 2.0 to continue to work.
We strongly advise organisations and users to proactively take action and follow the guidance in this article to avoid any potential disruption.
The below table provides an overview of the impact and point out to the guidance that organisations and users can follow to update their mobile applications and desktop clients.
| Protocol | User Impact | Guidance |
| EAS, EWS, POP & IMAP | Users with personal mobile and desktop devices using mail/calendar applications | User Guidance |
| Organisations with managed desktops using Microsoft Office Outlook clients | Admin Guidance | |
| RPC | Organisations with managed desktops using Microsoft Office Outlook 2010 or later. | Admin Guidance |
| POP, IMAP & RPS | Organisations using in-house or third-party backend applications | Admin Guidance |
| SMTP | Organisations using in-house or third-party backend applications | Admin Guidance |
IMPORTANT NOTE: When basic authentication is disabled, mobile applications and desktop clients using basic authentication will stop connecting with Exchange Online to send and receive email messages.
Application accounts set up using SMTP in Exchange Online will be impacted. This does not impact the high send service, but will be scheduled for deprecation in the future.
Users can still access their NHSmail mailbox via Outlook Web Access. To do so, go to the NHSmail Portal, click on Email in the top menu and authenticate using the NHSmail username and password.
What you need to do to prepare
Users with personal mobile and desktop devices using mail/calendar applications:
This section provides information to those users with personal mobile and desktop mail and calendar applications integrated with Exchange Online using basic authentication with any of the below protocols:
- Exchange ActiveSync (EAS)
- Exchange Web Services (EWS)
- Post Office Protocol (POP)
- Internet Messaging Access Protocol (IMAP)
- Simple Mail Transfer Protocol (SMTP)
A series of communications will be sent out to organisations and users appearing in our reporting to raise awareness and guide them through the process. Users and Local Administrators can follow the step-by-step user guide to update client, devices and applications to use modern authentication and prevent any impact when changed is completed.
Organisations with managed desktops using Microsoft Office Outlook clients:
This section provides information to Local Administrators of organisations with identified users using managed desktops with Office 2010 or later for Windows, or Office 2011 or later for Mac, and connecting to Exchange Online using basic authentication with any of the below protocols:
- Exchange ActiveSync (EAS)
- Exchange Web Services (EWS)
- Post Office Protocol (POP)
- Internet Messaging Access Protocol (IMAP)
A series of communications will be sent out to organisations appearing in our reporting to raise awareness and guide them through the process. Local Administrators can follow the admin guidance to update Office Outlook clients to use modern authentication.
Organisations with managed desktops using Microsoft Office Outlook 2010 or later:
This section provides information to Local Administrators of organisations with identified users using managed desktops with Office 2010 or later clients and connecting to Exchange Online using basic authentication with the below protocol:
- Remote Procedure Call (RPC)
A communication will be sent out to organisations appearing in our reporting to raise awareness and guide them through the process. Local Administrators can follow the admin guidance to update Office Outlook clients to use IMAP over HTTP instead.
Organisations using in-house or third-party backend applications:
This section provides information to Local Administrators of organisations with in-house software or third-party backend applications that are integrated with Exchange Online using basic authentication with the below protocols:
- Post Office Protocol (POP)
- Internet Messaging Access Protocol (IMAP)
- Remote Power Shell (RPS)
- Simple Mail Transfer Protocol (SMTP)
All applications must be registered with Azure Active Directory and a Secret will need to be used to authenticate the connection using modern authentication. Local Administrators can follow the admin guidance to submit a request to register an application.
| Last Reviewed Date | 29/05/2025 |
