Simply Secure – Microsoft Outlook Changes

Microsoft Office 365
Outlook Authentication Changes

I’m Really Busy, what do I need to know

If you use Microsoft Office products, specifically Outlook, and have a Microsoft based email account, and you are not running a supported Office version, you will need to upgrade. This is due to upcoming changes to Microsoft authentication.

Generally speaking the following versions of Outlook lose login ability to email services on or about October 1, 2022 :

  • Microsoft Office for Windows/Outlook 2007
  • Microsoft Office for Windows/Outlook 2010
  • Microsoft Office for Windows/Outlook 2013
  • Any version of Microsoft Office for Mac below 2016

Affected users:

Questions? Contact us.

additional Background

For many years, applications have used Basic authentication to connect to servers, services, and API endpoints. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services, and is simple to set up.

Simplicity isn’t at all bad, but Basic authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services. Furthermore, the enforcement of multi-factor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled.

Basic authentication is an outdated industry standard. Microsoft actively recommends that customers adopt security strategies such as Zero Trust (Never Trust, Always Verify), or apply real-time assessment policies when users and devices access corporate information. These alternatives allow for intelligent decisions about who is trying to access what from where on which device rather than simply trusting an authentication credential that could be a bad actor impersonating a user.

What’s Changing

Microsoft is removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.

They are also disabling SMTP AUTH in all tenants in which it’s not being used.

This decision requires customers to move from apps that use basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they are issued, so they cannot be reused. Enabling and enforcing multi-factor authentication (MFA) is also simple with Modern authentication.

When does the change occur

Microsoft has already started making this change. New Microsoft 365 tenants are created with Basic authentication turned off as they have Security defaults enabled.

Beginning in early 2021, Microsoft started to disable Basic authentication for existing tenants with no reported usage.

In September 2021, Microsoft announced that effective October 1, 2022, they will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. 

On September 1, 2022, Microsoft also announced there will be one final opportunity to postpone this change. Tenants will be allowed to re-enable a protocol once between October 1, 2022 and December 31, 2022. Any protocol exceptions or re-enabled protocols will be turned off early in January 2023, with no possibility of further use.