In late 2021, Microsoft 365 will no longer support legacy authentication. Modern authentication means OAuth 2.0, where applications request access tokens from Azure Active Directory rather than using username and password to connect. This enables multi-factor authentication, restrictive access policies, and other security beneficial features.
In September 2019, Microsoft stated that from the October date, it would be turning off basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, and Remote PowerShell. The only service for which basic authentication will still be supported is SMTP (used for sending email) because of its use by a vast number of devices and appliances. Exchange Online already supports modern authentication. Microsoft said it is planning to roll out Modern Auth support for POP and IMAP in Exchange Online.
Microsoft did give plenty of notice, but it is not allowing much time for admins to test and deploy changes that it is only now getting around to making available. The issue is that not all email clients support modern authentication. Appliances like scanners and copiers could cause problems because most of these send, rather than receive an email, therefore can it still use SMTP. Microsoft stated that if you have devices that can’t update to support Modern Auth for POP and IMAP, you will have to update to new hardware.
Another point of concern is that disabling basic authentication for Exchange ActiveSync will affect almost every Android phone connecting to Microsoft 365 that is using the native Mail app, except for Samsung devices, which support modern authentication. Microsoft recommends that you switch to Outlook for iOS and Android instead of using native apps.
Microsoft is right. Basic authentication for Microsoft 365 is a security vulnerability and disabling it will improve security. Contact our team to learn what your business will need to do to make this change.