1. Home
  2. Guidance
  3. General Guidance
  4. Basic authentication deprecation

Basic authentication deprecation

Microsoft depreciation of basic authentication in Exchange Online

For many years, applications have used basic authentication to connect to servers, services, and API endpoints. Microsoft are planning to disable basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online in September 2022. NHSmail has re-negotiated an extension with Microsoft until June 2023.

The NHSmail service is looking to separate out the different legacy protocols on to a new schedule within this time period so as to not implement all changes at the same time and therefore reducing the potential impact to organisations and their users.

How might this change affect your organisation?

If you have any applications that use basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac, then you will need to move to applications that use Modern authentication (OAuth 2.0 token-based authorisation).

For more information and guidance on deprecation of basic authentication in Exchange Online, please refer to Deprecation of Basic authentication in Exchange Online | Microsoft Docs

Important Note:

Microsoft are not deprecating SMTP at this time. If your application solely uses SMTP then you can continue to use outlook.office.365.com or send.nhs.net.

Timelines

As mentioned above, The NHSmail service is looking to separate out the different legacy protocols on to a new schedule within this time period.

EAS – Exchange Active Sync

We are planning to separate EAS (Exchange Active Sync) into 2 different groups. Unmanaged mobile phones and managed mobile phones (with a corporate Mobile Device Management systems (MDM’s)).

Google and Apple have deployed code updates to supported devices/OS versions, so that their devices can support modern auth. To force the devices to re-authenticate with modern auth, NHSmail will:

  • Identify impacted users, and contact them to inform of the change being made: (during January 2023)
  • block basic authentication for EAS for the users identified beginning of February 2023
    This will force the devices to switch to modern auth, meaning the user will need to re-authenticate to the device with their NHSmail credentials to regain access.

This will force the devices to switch to modern auth, meaning the user will need to re-authenticate to the device with their NHSmail credentials to regain access.

In addition, for devices that we see which are managed by a corporate management system, those organisations will need to set the required policies and push them out to the devices to force modern authentication.

In this situation, NHSmail will:

  • Identify impacted organisations, and contact them to inform of the change being made: (Contact to be sent during January 2023)
  • block basic authentication for EAS for the whole tenant beginning February 2023 (Once the first phase above has been completed)

Organisations will need to push out the relevant policy changes for their MDM to ensure the devices use modern auth and have the required security fixes from the OS supplier. The user will need to re-authenticate to the device with their NHSmail credentials to regain access.

RPC over HTTP

Organisations that are using RPC over HTTP will need to remove the registry settings that was deployed that forced devices to use RPC over HTTP rather than MAPI over HTTP.

In this situation, NHSmail will:

  • Identify impacted users and organisations, and contact them to inform of the change they need to deploy: (Contact to be sent during January 2023)
  • block Basic authentication for RPC over HTTP for the Tenant February 2023

Organisations will need to push out the relevant registry changes to ensure the devices use modern auth. The user will need to re-authenticate to the device with their NHSmail credentials to regain access.

EWS, POP and IMAP

A new self-service request process is being built that will allow organisations to request a custom application that enables OAuth for POP and IMAP.

App ID, secret and associated identities will be confirmed and provided within the process.

In this situation, NHSmail will:

  • Identify impacted users and organisations, and contact them to inform of the change they need to deploy: (Contact to be sent during January/ February 2023)
  • block Basic authentication for EAS, POP and IMAP for the users identified May /June 2023.

Organisations will need to request the relevant applications for their users/services to switch to OAuth application authentication for POP and IMAP. This will need requesting from the capabilities being developed and will need to be tested and deployed within the application/system on the Client side.

Further information and documentation will be provided in due course to explain what the process is and how the relevant application can be requested and scoped.

What you need to do to prepare:

Use modern authentication (OAuth 2.0 token-based authorisation) for any applications or clients that you use that could be impacted.

A potential option if your in-house or third party application needs to access IMAP, POP and SMTP AUTH protocols in Exchange Online, could be the following step-by-step instructions to implement OAuth 2.0 authentication: Authenticate an IMAP, POP, or SMTP connection using OAuth.

Please review all of your user and application accounts and where you have a requirement for POP and IMAP, please collate those account requirements so that they can be requested.

Please also liaise with your application suppliers to confirm if this or moving to Graph.api access is supported by the application vendor.

What is NHSmail doing?

NHSmail are creating a request process so that organisations can request an application to support OAuth for POP/IMAP/SMTP. The associated configurations are provided back to the requesting organisation, subject to approval. This is under development and will be available shortly, this guidance will be updated when available.

NHSmail will be sending out communications to targeted organisations to enable them to prepare and investigate/remediate users who are still using basic authentication on legacy protocols.

We have also removed the ability for any new or existing accounts to enable POP/IMAP via the NHSmail portal in the user settings. (SMTP will still be allowed to be enabled in the short term as we are focusing on the POP and IMAP elements that are being deprecated in Exchange online.)

In addition, we have begun a review of all users who have these enabled but who are not using them. Those users will be contacted to inform them that legacy protocols will be disabled for them due to not being used.

We are intending on sending the targeted comms on a fortnightly basis initially, but that may ramp up in frequency as we approach the deadline if organisations still appear to be using basic authentication.

The details within the targeted communications will include:

  • Protocol (POP, IMAP, MAPI, ActiveSync etc)
  • Operating system / Application name (where identified)
  • Username – Authenticated user utilising basic authentication
  • Count (number of times within the 30 days we have seen this event)
  • ODS / Organisation name

Modern authentication for Microsoft Office and MS Teams Rooms

All versions of Office for 2016 or later will have Modern authentication enabled by default. Office 2013 requires a setting to enable Modern authentication, but once you configure the setting, Office 2013 will use Modern authentication.

For more information and guidance on how to enable and disable Modern authentication for Office 2013, please refer to Enable Modern authentication for Office 2013 on Windows devices – Microsoft 365 admin | Microsoft Docs – It may be the case organisations will need to re-enable Modern authentication on their client devices/installation.

Microsoft Teams Rooms

Account management for Microsoft Teams Rooms is managed at the application level. The application connects to Microsoft Teams, Skype for Business, and Exchange to get resources for the resource account to enable calling and meeting experiences. Teams Rooms uses a dedicated resource account to allow for always-on capabilities, calling scenarios (for devices configured with a calling plan), and custom lockdown mechanisms. This means that authentication for Teams Rooms happens in a different way than for end-user devices.

Modern authentication is supported on Microsoft Teams Rooms version 4.4.25.0 and later.

Further information is available here: https://docs.microsoft.com/en-us/microsoftteams/rooms/rooms-authentication

Modern authentication for POP and IMAP

For legacy protocols such as POP / IMAP, organisations will be expected to liaise with their 3rd party application vendor to see if Modern authentication will be supported with that application. If supported, organisations will need to follow the guidance below.

Organisations should liaise with their 3rd party vendor or application developers and find out if modern authentication is supported for their application. If so, the 3rd party will be responsible with providing the appropriate guidance to enable modern authentication for their application. It could also require application upgrades to support modern authentication and any associated upgrade will need to be factored in by local organisations.

You can use the OAuth authentication service provided by Azure Active Directory (Azure AD) to enable your application to connect with IMAP, POP, or SMTP protocols to access Exchange Online in Office 365.

This may form a request for a custom Application to be submitted for assessment/approval that your application uses with OAuth to provide modern authentication with IMAP/POP. This will be dependent upon what the vendor/supplier supports.

Modern authentication for ActiveSync (EAS) in iOS

For more information/guidance on Modern authentication for ActiveSync (EAS) in iOS, please refer to Microsoft and Apple Working Together to Improve Exchange Online Security – Microsoft Tech Community

Modern authentication for ActiveSync (EAS) in Android

Microsoft and Google have been working to help users of the Android mail application to switch from basic authentication to modern authentication. We are currently awaiting details of this and will update this article ASAP to direct people towards any pertinent information as soon as it is available.

Last Reviewed Date 19/01/2023
Updated on 19/01/2023

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top