3aIT Blog

Dead End signThere's a small but potentially important change coming for those that use Microsoft's services to provide their email. It's unlikely to impact personal accounts, as almost all users will be using modern methods to connect, but if your scan-to-email or intranet service that relies on connection to an email account breaks / has broken for no obvious reason, this may be why...

As of October 1st 2022, Microsoft will block what is known as "basic authentication" for email. This refers to accounts that only use a username and password to connect, with no additional multi-factor authentication step (eg allowing via the Microsoft Authenticator app on your phone or entering a one-time password). 

Microsoft's rationale for this change is that they data shows almost all attacks on their email accounts use this basic authentication approach to try and connect. By mandating the extra authentication step, this attack vector disappears overnight, hopefully reducing the potential for someone's account to be breached (no matter how poor their password is).

The thing this is most likely to break is setups that have been in place "just working" for years, and are never touched. There are likely to be various legacy features in company systems that collect data from an email inbox to then do something with. If that is a Microsoft account and is using basic authentication, it will now fail. Basically, if you find something that hinges on email has suddenly broken and stays broken for no obvious reason over this weekend, this is likely to be why.

Microsoft have been trying their best to alert people to this change, which has been trailed for a couple of years at least. A couple of months ago, they deliberately disabled this service for a day for anyone still using it to try and draw attention to the looming deadline. Nevertheless, they report there's still a percentage of accounts relying on this method.

If you do find this breaks something, Microsoft have provided the option of a temporary reprieve. It will be possible for an to re-enable this service as a one-time reversal. This can only be used as a temporary workround though. As of December 31st 2022, even accounts opted back in like this will have basic authentication removed. Note - this isn't something an average user will be able to do - it needs to be undertaken by someone with admin access to the Exchange account for the business. Full details can be found on Microsoft's recent blog on the issue.