So, what does all this mean?  And what do you need to do to prepare?

A short glossary

Basic authentication, often referred to as Basic auth, is an outdated method of sending credentials (typically a username and password) across a network in plain text. This means the information is not encrypted and can be intercepted by unauthorized parties, making it vulnerable to cyber threats such as credential theft and brute force attacks.

Open Authorization, commonly known as OAuth, is an open-standard authorization protocol or framework that enables secure, token-based access between different applications. Instead of sharing unencrypted passwords, OAuth uses access tokens to authenticate a user or application’s identity and authorize them to access specific resources. These tokens are typically sent over HTTPS, ensuring that the data remains encrypted during transmission.  Due to its simplicity and security, OAuth is already widely used for web, mobile and IoT applications.

The retirement plan

According to Microsoft, the deprecation process of Basic auth includes updates to the SMTP AUTH Clients Submission Report, a series of Message Center alerts, and finally, the complete disabling of Basic auth.

Let’s look at how they expect this to land on the calendar over the next 16 months:

September 2024: The SMTP AUTH Clients Submission Report in the Exchange admin center will update to show Microsoft if Basic auth or OAuth is being used by a customer to submit email to Exchange Online.

January 2025: Microsoft will send a Message Center alert notification to all tenants currently utilizing Basic auth with Client Submission (SMTP AUTH).

August 2025: Microsoft will send another Message Center post to tenants who are still using Basic auth with Client Submission (SMTP AUTH) about 30 days before disabling it.

September 2025: Basic auth will be permanently disabled.

Guidelines for preparedness

To get ready for the retirement of Basic authentication for Client Submission (SMTP AUTH) in Exchange Online, you can follow these steps:

1. Transition to OAuth: Upgrade your applications and devices to use OAuth for SMTP Auth to enhance security with encrypted token-based authentication.
2. Check SMTP AUTH Clients Submission Report: Starting September 2024, monitor the report in the Exchange admin center to see if Basic auth or OAuth is being used.
3. Respond to Message Center Alerts: Pay attention to alerts from Microsoft in January 2025 and August 2025 regarding the use of Basic auth.
4. Explore Alternatives: If your client doesn’t support OAuth, consider alternatives like High Volume Email for Microsoft 365, Azure Communication Services Email, or Authenticate with Exchange Server On-Premises or 3^rd party services like SendGrid.

Remember, Basic auth will be permanently disabled in September 2025 as SMTP AUTH was the last protocol to use it. So, it’s important to act promptly and ensure your systems are compatible with modern authentication methods!