How to check the impact of the Effects from the Deprecation of Exchange Online Basic Authentication

for Office 365

Microsoft has delayed the Deprecation of Exchange Online Basic Authentication from 2020/10/13 to the second half of 2021 from the announcement on 2020/04/06. ( MC20881 4)

According to Microsoft's Announcement in February 2020, accessing Outlook using Basic Authentication will not be available later next year.
The official announcements from Microsoft regarding "Exchange Online deprecating Basic Authentication" can be found in the following references.

Exchange Online deprecating Basic Authentication (Published 2019/09/20)

Improving Security - Together (Published 2019/09/20)

Basic Auth and Exchange Online – February 2020 Update

We have updated the corresponding article in Help Center according to the updated information from Microsoft, please confirm the information published here.

(※Announcement)The effect of Exchange Online Basic Authentication Deprecation on HENNGE One

We have written this article based on the newly published information from Microsoft. The article below will show the guideline of how to minimize the impact of the Deprecation of the Basic Authentication protocol.

1.Preface

Regarding the Deprecation of Exchange Online Basic Authentication, there will not be any direct impact on the HENNGE One Services itself.
Not to mention, HENNGE One can still be continuously be used with Office 365 without any troubles after the "Deprecation of Exchange Online" after second half of 2021.

However, there will be the abolishment of Exchange Online Basic Authentication for the Office 365, we ask our customers to please take a look at the article below to understand what the implications may occur.

As a result of the Deprecation of Exchange Online Basic Auth, there is a possibility that the Access Policies in the Access Policy Group in your HENNGE Access Control may need to be revised as a result of the impacts caused when using the Applications/Services.

2.Prerequisites

Please confirm and understand the following prerequisites before moving on to the main article.

  1. This article content was written according to the announcements published by Microsoft at 2020/02/25. There may be possibilities that Office 365 or Exchange Online will have further service updates without any prior announcements in the future.
  2. According to Microsoft's Official Released Information, the impacted services of the Deprecation of Exchange Online Basic Auth will be the following: Exchange ActiveSync(EAS), Exchange Web Service(EWS),  POP/IMAP, Remote PowerShell, Outlook Client Application for Windows PC.
    SMTP will not be included in the Exchange Online Basic Auth Deprecation this time (*there may be later updates after the second half of 2021.)
  3. After all, this is the update that has been decided by Microsoft, if there are questions or inquiries about the detailed impact, effects on the user usage or user announcements that are not related to HENNGE One services, please do contact the Microsoft Support.

3.Services or Applications that will NOT be Impacted

The authentication of Office 365/Exchange Online through the HENNGE Access Control login screen will not be affected if users are using the following applications.

  • Web Browser based Outlook on the Web(OWA)
  • HENNGE Secure Browser based Outlook on the Web(OWA)
  • Outlook Client App on iOS/Android
  • Native Email App on iOS 11.3 or later (uses "Sign-In" button in the Profile)

Account Setting Flow of Applications:Services that will not be Affected.pdf

In addition, Outlook 2016 or later on Windows PC will that uses Modern Authentication will also NOT be affected.

Again, the following service will not be affected as claimed by Microsoft Announcement.

  • SMTP Email Delivery (* However, future updates may impact on this.)

4.Prior Checks to be made on the Office 365 Tenant

4.1.Check if the Modern Authentication is Enabled

Following the "Deprecation of Exchange Online Basic Auth", the Modern Authentication for Exchange Online in Office 365 Tenants will need to be enabled.
Firstly, please check through the steps outlined in the article below to see if Modern Authentication for Exchange Online has been enabled in your Office 365 Tenant.

Checking Exchange Online Modern Authentication Status

If your Office 365 Tenant was created before 2017, the Modern Authentication for your Exchange Online is likely to be disabled by default.
The steps outlined in the article above include the procedures to convert Exchange Online to Modern Authentication, please take extra care when executing.

 

Reference
For Outlook 2016, you can easily determine if Modern Authentication for Exchange Online has been enabled on your Office 365 Tenant via the following method. Login to the Outlook 2016 with an account.
Login with an account:

  • If you do not see the HENNGE Access Control Login Screen, Modern Authentication is likely to be disabled.
  • If you do see the HENNGE Access Control Login Screen, Modern Authentication is likely to be enabled.

However, it is likely that PowerShell command is needed to change the the settings. Please use the procedure above as a basic measure to check if Modern Authentication has been enabled.

 

4.2.If Modern Authentication is Disabled

Following the "Deprecation of Exchange Online Basic Authentication", the enablement of Modern Authentication for Exchange Online is required.
If the Modern Authentication is not enabled, Application/Services that uses the Basic Authentication will still be impacted.
※The above does not include "Not Impacted Application/Services"

However, enabling the Modern Authentication will cause users that uses Outlook 2016 or later on Windows PC to have to convert from Basic Authentication to Modern Authentication. These users will need to login to their Outlook again with the HENNGE Access Control Login Screen.

Please do Take into Consideration that there are differences of the Login Session Duration between Basic Authentication and Modern Authentication.
Basic Authentication will authentication in the background intermittently and frequently. Usually after every few hours, the system will authenticate the users with Basic Authentication again.
For Modern Authentication, once the user has been authenticated successfully, a Token will be granted to the user to represent the logged in status.
This Token will have 90 days of available period for continuous usage by specification and by default. If the user has refreshed the Token by accessing the Service/Application within the 90 days, the Token will be extended for the next 90 days after it is refreshed.

Configurable token lifetimes in Azure Active Directory (Preview)

※The specification of authenticated session duration, please consult with Microsoft Support.

For this reason, we recommend that the end users be informed of the Login Screen changes and be informed of the length of the login session before the conversion to Modern Authentication is performed.

Please take into careful considerations of the impacts above please enabling the Modern Authentication.

Enable modern authentication in Exchange Online

※If you have any inquiry about the details of the Modern Authentication Enablement, please contact the Microsoft Support.

 4.3.If Modern Authentication is Enabled

If Modern Authentication has been enabled for your Exchange Online, please follow the "5. Changes to Applications/Services" to adapt the Applications/Services.

5.Changes to Applications/Services

The content below follows the "Prerequisites of Enabling Modern Authentication for Exchange Online".

However, for the Application/Service mentioned in "3.Services or Applications that will NOT be Impacted", they will not be impacted regardless Modern Authentication status.

5.1.Outlook for Windows PC

Outlook 2016 or Later

For versions of Outlook 2016 or later, they can be used as usual.
Please confirm that when you login with your account, the HENNGE Access Control Login Screen will be displayed.

Outlook 2013

Please perform the following procedure for each Outlook PC Client after the second half of 2021 as the "Deprecation of Exchange Online Basic Authentication".

Enable Modern Authentication for Office 2013 on Windows devices

After the above procedure, the HENNGE Access Control Login Screen will be displayed as the user logins in with their account.

※If there are any questions regarding this procedure, please confirm with the Microsoft Support.

Outlook 2010 or Earlier

After the "Deprecation of Exchange Online Basic Authentication" (second half of 2021), Outlook 2010 or Earlier will not be able to be used.

Please migrate to Outlook 2016 or later.

5.2.Exchange Active Sync

Exchange ActiveSync on Native Email App for iOS 11.3 or Later

Please press the "Sign-in" button in the Native Email App of your iPhone to create a new Profile for the Exchange Online account.

If you have previously created a Profile by clicking the "Manual" button in the Native Email App on iOS, please reset the account again with the "Sign-in" button to create a new Profile.

However, we recommend customers to use the Outlook Application provided by the Microsoft for iOS devices.

Exchange ActiveSync on Native Email App for iOS before 11.3

This App will not be able to be used after the "Deprecation of Exchange Online Basic Authentication" after second half of 2021.

Please update your iOS on your iPhone device and create a new Profile through clicking the "Sign-in" button in the Native Email App.

However, we recommend customers to use the Outlook Application provided by the Microsoft for iOS devices.

Exchange ActiveSync on Native Email App for Android

This App will not be able to be used after the "Deprecation of Exchange Online Basic Authentication" after second half of 2021.

We recommend customers to use the Outlook Application provided by the Microsoft for Android devices.

5.3.POP/IMAP

POP/IMAP that uses Basic Authentication will not be able to be used after the "Deprecation of Exchange Online Basic Authentication" after second half of 2021 

POP/IMAP that supports Modern Authentication will still be available.
※Office 365 is currently preparing this.

Microsoft recommends users to use Outlook on the Web (OWA) or Outlook.

5.4.Remote PowerShell

Remote PowerShell that uses Basic Authentication will not be able to be used after the "Deprecation of Exchange Online Basic Authentication" after second half of 2021.

Remote PowerShell that supports Modern Authentication will still be available.
※You can find out if the Remote PowerShell uses Modern Authentication by checking if the HENNGE Access Control Login Screen displays after users login into their account.

To connect Remote PowerShell via Modern Authentication, please follow the following procedure.

Connect to Exchange Online PowerShell using multi-factor authentication

5.5.Exchange Web Service

Application/Service that uses the Exchange Web Service that via the Basic Authentication will not be able to be used after the "Deprecation of Exchange Online Basic Authentication" after second half of 2021.

In order to confirm if the Application/Service that you are using supports the Modern Authentication after the deprecation of Basic Authentication, please confirm with Company that provides the Application/Service.

6.Revisions on the HENNGE Access Control Access Policy

Please perform the "4.Prior Checks to be made on the Office 365 Tenant" and "5.Changes to Applications/Services" before moving to the procedures below.

Most of our customers of the HENNGE Access Control service utilizes the Global IP Restriction Access Policy.
If you will convert from Basic Authentication to Modern Authentication after the "Deprecation of Exchange Online Basic Authentication", Global IP Address restriction will continue to apply and your Applications/Services can continue to access from the same IP Address.
※Please add the Global IP Address to the Access Policy Restriction for those Applications/Services.

For access of Windows Outlook, Outlook for iOS/Android and ActiveSync via Native Email App on iOS 11.3 or Later, we recommend you to implement "HENNGE Device Certificate".

The Procedures for Implementing the "HENNGE Device Certificate" Feature has been outlined below.

6.1.Prerequisite Preparation

If you have any inquiry about "HENNGE Device Certificate" implementation, please feel free to contact our ask-ms-basicauth-en@hennge.com Contact Window.

6.2.Confirm that "HENNGE Device Certificate" has been Enabled

After "6.1.Prerequisites Preparation", and you have contracted the "HENNGE Device Certificate" module, "Device Certificate" options should appear on the left menu in the HENNGE Access Control Admin Console.

How to check if HENNGE Device Certificate is Enabled.pdf

6.3.Changes to Access Policy

In the HENNGE Access Control Admin Console, please look for the applicable Access Policy and edit the "Condition to allow access" part to add a "or" and a "device_cert:any".

How to Modify the HENNGE Access Control Access Policy .pdf

6.4.How to use "HENNGE Device Certificate"

For Manuals on how to use the "HENNGE Device Certificate", please read through the following articles in the Help Center.

How to distribute Device Certificates to the users (Admin)

HENNGE Device Certificate User Manual

7.Lastly

The scenario and details outlined in this article may be the general situation.
If you are using more sophisticated rules or policies or have questions regarding the details, please contact our Contact Window for Support.

If you have any questions on the impacts/status of the "Deprecation of the Exchange Online Basic Authentication" of Exchange Online of Office 365, please consult with the Office 365 Support Window of Microsoft.

For inquiries on individual Application/Service regarding the impacts/status of the "Deprecation of the Exchange Online Basic Authentication" on those Application/Service, please consult with the Support Window of those Applications/Services.

This may be a good timing to reconsider the Access Polices in HENNGE Access Control to include the implementation of HENNGE Device Certificate.

Lastly, many customers may have inquiries about the impacts on their usage within their own companies; however, we do not have full picture of the status or usage of each of our customers. Therefore, when you contact us, please include specific details or unclear points in the Help Center article for us to answer your questions quickly as possible.

Thank you for your help and assistance.

※This article's information is written based on the article(MC191153, MC204828)in the Microsoft Office 365 Support Center.
※This article will be updated accordingly if any new information or updates has been announced or released from the Microsoft Support.

          
Was this article helpful?

Frequently Asked Questions (FAQs)