NOTE: This article provides information to Local Administrators of organisations with identified users using managed desktops with Office 2010 or later clients and connecting to Exchange Online using basic authentication with any of the below protocols:
- Exchange ActiveSync (EAS)
- Exchange Web Services (EWS)
- Post Office Protocol (POP)
- Internet Messaging Access Protocol (IMAP)
Microsoft has replaced basic authentication protocols for Exchange Online with modern connectivity that enables additional layers of security. The NHSmail team has put in place a strategy to separate out the retirement of these protocols into a new schedule before June 2023 to reduce any potential impact or disruption to organisations and their users.
The below table provides an overview of this schedule:
| Protocol | Retirement date |
| EAS | 27th April 2023 (evening) |
| EWS, POP, IMAP | 25th May 2023 (evening) |
This means that some users using managed desktops with Microsoft Office 2010, 2013, 2016 and 2019 for Windows, and Office 2011 or later for Mac installed and using basic authentication will stop sending and receiving emails.
A series of communications will be sent out to organisations appearing in our reporting to raise awareness and guide them through the process.
IMPORTANT NOTE: Please note that the below Office clients do not support modern authentication and it is recommended to upgrade to the most recent Office suite available:
- Microsoft Office 2010 for Windows.
- Microsoft Office for Mac 2011 (14.7.7) or older
When basic authentication is disabled, Outlook clients using basic authentication will stop connecting with Exchange Online to send and receive email messages. Users can access their NHSmail mailbox via Outlook Web Access if required.
Enabling Modern Authentication on Office 2013.
It is recommend upgrading users with Microsoft Office 2013 to the most recent Office suite available. If required, please follow the following Microsoft guidance to enable modern authentication for Office 2013 on Windows devices.
Enabling Modern Authentication on Office 2016 and Office 2019.
Make sure that users in your organisation with Office Outlook desktop for Windows using basic authentication are updated to use modern authentication.
Step 1: Run Windows update and confirm Office applications are updated by having the most recent cumulative updated. Your Office should have at least the currently recommended minimum installation of Outlook updates installed for connecting to Exchange Online using modern authentication. To verify the current list, see the following Microsoft Office article.
Step 2: Additionally, you may have to make sure that Outlook clients are not using a registry key to disable modern authentication. To confirm this, follow the below steps to check all 3 (three) registry values exists and are set to 1 (one):
1. Exit Outlook.
2. Open Registry Editor by using one of the following procedures, as appropriate for your version of Windows:
a. Windows 10, Windows 8.1, and Windows 8: Press Windows Key + R to pen a Run dialog box. Type exe and then press OK.
b. Windows 7: Click Start, type exe in the search box, and then press
3. Enter.Locate and select the following key in the registry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity\
4. Right click EnableADAL and then click on Modify.
5. Change the Value data to 1 and then click OK.
6. Right click Version and then click on Modify.
7. Change the Value data to 1 and then click OK.
8. Locate and select the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\
9. Right click AlwaysUseMSOAuthForAutoDiscover and then click on Modify.
10. Change the Value data to 1 and then click OK.
11. Close Registry Editor.
12. Start Outlook.
NOTE: It is most likely the above registry keys already exist in your user’s windows device. If not, proceed to create the registry.
You can also deploy the above registry changes to all users if your organisation manages their devices via an MDM platform.
Checking if Outlook is using basic or modern authentication.
To confirm if registry changes were successful, follow the below steps to identify Outlook’s connection type:
- Start Outlook.
- Press and hold Ctrl button, then do right click on the Outlook icon in the task bar at the bottom right corner of the screen and select Connection Status.
- Find Authn column in the Outlook Connection Status screen.
a. If the authentication type is Bearer*, it means the client is already using modern authentication to connect to Exchange Online.
b. If the authentication type is Clear*, it means the client is using basic authentication to connect to Exchange Online.
Re-adding user’s email account when Outlook does not connect to Exchange Online.
For those Office desktop clients for Windows using AES or EWS which may not be connecting to Exchange Online or keep asking to provide the user’s account password, consider re-adding the user’s mailbox profile following the below steps.
You will have to re-add the user’s email account for those using POP and IMAP protocols.
NOTE: Any custom rules or set up on Outlook might be lost when re-adding an account; and these will have to be re-added. We suggest adding the new account profile first and re-create any special set up before removing the old account.
Step 1: Add a new NHSmail account profile:
- Start Outlook.
- Click on File on the top menu.
- Select Account Settings > Manage Profiles.
- Click on Show Profiles
- Click on Add
- Enter NHSmail as name for the new profile.
- Enter your net email address in the Name and Email Address fields.
- Enter your net password twice in the Password and Retype Password fields.
- Click on Next
- On the Microsoft sign in page click on Next
- On the NHSmail login page, type in your password, click on Sign in.
- If you have MFA or FIDO2 enabled, complete the authentication process.
- If requested, click on OK on staying signed in to all your apps.
- Click on Done and then Finish.
- On the Profile window, choose Always use this profile and select NHSmail from the drop-down menu.
- Click on OK to complete the process.
- Restart Outlook.
Step 2: Remove old email account profile:
- Open Outlook.
- Click on File on the top menu.
- Select Account Settings > Manage Profiles.
- Click on Show Profiles
- Select the old profile you want to remove and click on Remove
- Click on Yes to remove the profile.
- Restart Outlook.
Enabling Modern Authentication on Outlook for Mac.
Make sure that users in your organisation with Office Outlook desktop clients for Mac installed and using basic authentication are updated to use modern authentication.
NOTE: Registry changes are not required for Apple Mac users; their email account will have to be re-added.
Step 1: Remove current email account:
1. Open
2. Click on Tools at the top menu bar.
3. Select
4. Select the nhs.net account you want to delete.
5. In the Accounts dialog, click the – button at the bottom left corner.
6. Select Delete to remove the account from your app.
Step 2: Add a new email account:
1. Open
2. Click on Tools at the top menu bar.
3. Select
a. If this is the first account you are adding an account, select Add Email Account.
b. If not, click on + icon at the bottom left corner of the dialog box and select New Account.
4. Enter your nhs.net email address and click on Continue.
5. On the NHSmail login page, type in your password, click on Sign in
6. If you have MFA or FIDO2 enabled, complete the authentication process.
7. Click on Done.
8. If required, restart Outlook.
| Last Reviewed Date | 14/03/2023 |
