After many years of applications using Basic authentication to connect to servers, services, and API endpoints, it will be coming to an end in Exchange Online.
Basic authentication means the application sends a username and password with every request and those credentials are often store or saved on the device. Traditionally, this type of authentication is enabled by default on most servers or services, and is simple to set up. However, this also makes it easier for attackers to capture user credentials, increasing the risk of stolen credentials being reused against other endpoints or services. Plus, multifactor authentication, or MFA, may not be easily enforced or even possible where Basic authentication remains enabled.
As an outdated industry standard, Microsoft is recommending customers adopt security strategies like Zero Trust and/or apply real-time assessment policies when users and devices access corporate information. Even so, with threats and risks in mind, Microsoft is taking steps to improve data security in Exchange Online and will be removing the ability to use Basic authentication in Exchange Online across several services. This will require customers to move from apps that use Basic authentication to apps using Modern authentication. Modern authentication is OAuth 2.0 token-based authentication with many benefits and improvements from Basic authentication and also allows simple enablement and enforcement of MFA.
Changes are already being made, and disablement will begin October 1, 2022. To learn more about if and how your users may be affected by this announcement, visit here for all details.