How to Check Basic Authentication Enabled or Disabled in Microsoft 365

Basic authentication in the Microsoft 365

For many years, applications have used Basic authentication to connect to servers, services, and API endpoints. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device.

Microsoft is removing the ability to use Basic authentication in Exchange Online for:

Exchange ActiveSync (EAS)
POP
IMAP
Remote PowerShell
Exchange Web Services (EWS)
Offline Address Book (OAB)
Outlook for Windows and Mac.

Microsoft’s also disabling SMTP AUTH in all tenants in which it’s not being used. If you want to check SMTP AUTH in your organization let’s visit this post.

Note Note: The deprecation of basic authentication will also prevent the use of app passwords with apps that don't support two-step verification.

When will this change take place?

Microsoft’s already started making this change. New Microsoft 365 tenants are created with Basic authentication already turned off as they have Security defaults enabled

In September 2021, Microsoft announced that effective October 1, 2022, they will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used.

POP, IMAP, and SMTP AUTH

In 2020, Microsoft released OAuth 2.0 support for POP, IMAP, and SMTP AUTH. You can update your client apps to support these authentication types. Unfortunately, There is no plan for Outlook clients to support OAuth for POP and IMAP.

In some cases, if your organization still required POP/IMAP, you must using a third-party app which supports Modern Authentication to connect to Exchange Online over POP or IMAP protocol.

Check Basic Authentication Enabled or Disabled

Firstly, if Security Defaults are enabled in your tenant, it means all legacy authentication at the tenant level for all protocols with no exception.

Security Defaults are enabled mean the basic authentication is disabled completely in your tenant across all protocol included SMTP Auth.

If you have authentication policies configured in your Office 365 tenant, you can display the current settings and protocols that are allowed to use Basic Authentication. Use the following PowerShell command:

Before you begin, let’s connect to Exchange online PowerShell.

In our case, we have only one policy and BasicAuth is disabled for all apps.

Note Note: If the command Get-AuthenticationPolicy returns nothing, it means there's no custom authentication police in your tenant. At this time, it means basic authentication is disabled for POP/IMAP...protocols.

PS C:\WINDOWS\system32> Get-AuthenticationPolicy

AllowBasicAuthActiveSync           : False
AllowBasicAuthAutodiscover         : False
AllowBasicAuthImap                 : False
AllowBasicAuthMapi                 : False
AllowBasicAuthOfflineAddressBook   : False
AllowBasicAuthOutlookService       : False
AllowBasicAuthPop                  : False
AllowBasicAuthReportingWebServices : False
AllowBasicAuthRest                 : False
AllowBasicAuthRpc                  : False
AllowBasicAuthSmtp                 : False
AllowBasicAuthWebServices          : False
AllowBasicAuthPowershell           : False

For security purposes, you must create a separate policy with different Basic Auth permissions for specific protocols and assign it to users using the legacy application.

Note: The custom policies allow basic authentication will stop working when Microsoft turns off basic authentication globally on October 1, 2022.

New-AuthenticationPolicy -Name "BasicAuth_Allow_POP"
Set-AuthenticationPolicy -Identity "BasicAuth_Allow_POP" -AllowBasicAuthPop:$true
Set-User -Identity [email protected] -AuthenticationPolicy "BasicAuth_Allow_POP"

PS C:\WINDOWS\system32> Get-AuthenticationPolicy -Identity BasicAuth_Allow_POP

AllowBasicAuthActiveSync           : False
AllowBasicAuthAutodiscover         : False
AllowBasicAuthImap                 : False
AllowBasicAuthMapi                 : False
AllowBasicAuthOfflineAddressBook   : False
AllowBasicAuthOutlookService       : False
AllowBasicAuthPop                  : True
AllowBasicAuthReportingWebServices : False
AllowBasicAuthRest                 : False
AllowBasicAuthRpc                  : False
AllowBasicAuthSmtp                 : False
AllowBasicAuthWebServices          : False

Also, note that there is another OAuth2ClientProfileEnabled option in the organization settings, which determines whether Modern Auth is enabled for the tenant:

If OAuth2ClientProfileEnabled = False, it means that modern authentication is disabled.

PS C:\WINDOWS\system32> Get-OrganizationConfig | ft OAuth*

OAuth2ClientProfileEnabled
--------------------------
                      True

Enable basic authentication for SMTP

Some organizations still need SMTP basic authentication to sending emails through printers or scanners. So, they need SMTP AUTH using legacy protocol.

Microsoft doesn’t has a plan to disable basic authentication on SMTP. But SMTP Auth will also be disabled if it is not being used in your organization.

To check basic authentication for SMTP is enabled or disabled, let’s run the following command:

PS C:\> Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

SmtpClientAuthenticationDisabled : True

SmtpClientAuthenticationDisabled property is True means the basic authentication for SMTP is already disabled. To enable it, let’s run the following command.

Set-TransportConfig -SmtpClientAuthenticationDisabled $false

Microsoft highly recommend that you disable SMTP AUTH in your Exchange Online organization, and enable it only for the accounts (that is mailboxes) that still require it. Enable SMTP AUTH for specific mailboxes