On October 1, 2022, Microsoft will permanently disable Basic Authentication (“Basic Auth”) for Exchange email tenants. Basic Auth is an outdated authentication standard that allows users to connect to their mailbox using only a username and password and its continued use poses serious security risks to Cornell users and their data. 

In the coming weeks, the CIT Email and Messaging team will begin reaching out to administrators and others responsible for email processes and configurations that still use Basic Auth. These instances will need to move to more secure email authentication, such as OAuth2.  

Protocols for which Basic Auth will be disabled include POP3, IMAP4, Remote PowerShell, Exchange Web Services, MAPI, Office Address Book, and SMTP Auth. Email configurations using any of these with Basic Auth will need to be updated to a more secure method. 

Microsoft has also announced that, between now and the October 2022 cutoff date, it may selectively disable Basic Auth on selected tenants for 12- to 48-hour periods. If an email service you support experiences a brief outage, it may be an indication that it is using Basic Auth and will need to be updated before October 2022. 

For technical details about the coming change, visit Microsoft’s post, Basic Authentication and Exchange Online – September 2021 Update.  

If you have questions or concerns, contact microsoft-basicauth@cornell.edu.