Microsoft depreciation of basic authentication in Exchange Online
For many years, applications have used basic authentication to connect to servers, services, and API endpoints. Microsoft are planning to disable basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online in September 2022. NHSmail has negotiated an extension with Microsoft until 31 December 2022.
How might this change affect your organisation?
If you have any applications that use basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac, then you will need to move to applications that use Modern authentication (OAuth 2.0 token-based authorisation).
For more information and guidance on deprecation of basic authentication in Exchange Online, please refer to Deprecation of Basic authentication in Exchange Online | Microsoft Docs
What you need to do to prepare:
Use modern authentication (OAuth 2.0 token-based authorisation) for any applications or clients that you use that could be impacted.
To avoid any service impact, we strongly advise that you start transitioning your applications and custom applications to modern authentication as soon as possible.
A potential option if your in-house or third party application needs to access IMAP, POP and SMTP AUTH protocols in Exchange Online, could be the following step-by-step instructions to implement OAuth 2.0 authentication: Authenticate an IMAP, POP, or SMTP connection using OAuth.
What is NHSmail doing?
NHSmail will be sending out communications to targeted organisations to enable them to prepare and investigate/remediate users who are still using basic authentication on legacy protocols.
We are also removing the ability for any new or existing accounts to enable POP/IMAP via the NHSmail portal in the user settings. (SMTP will still be allowed to be enabled in the short term as we are focusing on the POP and IMAP elements that are being deprecated in Exchange online.)
In addition, we have begun a review of all users who have these enabled but who are not using them. Those users will be contacted to inform them that legacy protocols will be disabled for them due to not being used.
We are intending on sending the targeted comms on a fortnightly basis initially, but that may ramp up in frequency as we approach the deadline if organisations still appear to be using basic authentication.
The details within the targeted communications will include:
- Protocol (POP, IMAP, MAPI, ActiveSync etc)
- Operating system / Application name (where identified)
- Username – Authenticated user utilising basic authentication
- Count (number of times within the 30 days we have seen this event))
- ODS / Organisation name
NHSmail is also removing the ability for organisations to setup legacy protocols with basic authentication. This will take the form of removing the capability to add POP and IMAP legacy protocols on accounts. New applications will need to now be deployed using modern authentication and will need to be submitted for assessment and approval. As previously mentioned, this is under development and will be available shortly.
Modern authentication for Microsoft Office and MS Teams Rooms
All versions of Office for 2016 or later will have Modern authentication enabled by default. Office 2013 requires a setting to enable Modern authentication, but once you configure the setting, Office 2013 will use Modern authentication.
For more information and guidance on how to enable and disable Modern authentication for Office 2013, please refer to Enable Modern authentication for Office 2013 on Windows devices – Microsoft 365 admin | Microsoft Docs – It may be the case organisations will need to re-enable Modern authentication on their client devices/installation.
Microsoft Teams Rooms
Account management for Microsoft Teams Rooms is managed at the application level. The application connects to Microsoft Teams, Skype for Business, and Exchange to get resources for the resource account to enable calling and meeting experiences. Teams Rooms uses a dedicated resource account to allow for always-on capabilities, calling scenarios (for devices configured with a calling plan), and custom lockdown mechanisms. This means that authentication for Teams Rooms happens in a different way than for end-user devices.
Modern authentication is supported on Microsoft Teams Rooms version 220.127.116.11 and later.
Further information is available here: https://docs.microsoft.com/en-us/microsoftteams/rooms/rooms-authentication
Modern authentication for POP and IMAP
For legacy protocols such as POP / IMAP, organisations will be expected to liaise with their 3rd party application vendor to see if Modern authentication will be supported with that application. If supported, organisations will need to follow the guidance below.
Organisations should liaise with their 3rd party vendor or application developers and find out if modern authentication is supported for their application. If so, the 3rd party will be responsible with providing the appropriate guidance to enable modern authentication for their application. It could also require application upgrades to support modern authentication and any associated upgrade will need to be factored in by local organisations.
You can use the OAuth authentication service provided by Azure Active Directory (Azure AD) to enable your application to connect with IMAP, POP, or SMTP protocols to access Exchange Online in Office 365.
This may form a request for a custom Application to be submitted for assessment/approval that your application uses with OAuth to provide modern authentication with IMAP/POP. This will be dependent upon what the vendor/supplier supports.
NHSmail are creating a submission/request process so that organisations can request an application to support OAuth for POP/IMAP/SMTP. The associated configurations are provided back to the requesting organisation, post approval. This is under development and will be available shortly.
Modern authentication for ActiveSync (EAS) in iOS
Microsoft and Apple have been working to help users of the iOS mail application switch from basic authentication to Modern authentication.
Apple has supported OAuth in iOS and macOS clients for several years, so anyone setting up a new Exchange Online account in the mail application on these devices should be configured to use Modern auth. An Exchange Online account uses modern authentication only if it were added to the device after OAuth support was added to the mail app.
Apple will be adding support to remove the stored basic authentication credentials from the device, and then reconfigure the settings on the account to use OAuth in an upcoming iOS update (release date and iOS version not yet confirmed, but it should be during the summer 2022).
For more information/guidance on Modern authentication for ActiveSync (EAS) in iOS, please refer to Microsoft and Apple Working Together to Improve Exchange Online Security – Microsoft Tech Community
Modern authentication for ActiveSync (EAS) in Android
Microsoft and Google have been working to help users of the Android mail application to switch from basic authentication to modern authentication. We are currently awaiting details of this and will update this article ASAP to direct people towards any pertinent information as soon as it is available.
|Last Reviewed Date||08/09/2022|