Topics Map > Client Configuration > Desktop
Topics Map > Client Configuration > Mobile
Topics Map > Features and Functionality > Client Capabilities > Desktop
Topics Map > Features and Functionality > Client Capabilities > Mobile
Topics Map > Features and Functionality > Client Capabilities > Web (OWA)

Office 365 - Exchange Online Basic Authentication

Most logins to Microsoft Office 365 Exchange require direct authentication to NetID Login. However, some clients/protocols use basic authentication. With basic authentication (also called proxy authentication), the email client transmits the username and password to Office 365, and Office 365 forwards the provided credentials to NetID Login. This article answers general questions about Basic Authentication.

Table of Contents

How does basic authentication work in Office 365?

With basic authentication, your email/calendar client will transmit your username and password to Office 365 (Exchange Online). Office 365 will forward your credentials to the NetID Login Service. The NetID Login Service will verify the credentials and return a token to Office 365. If authentication was successful and the user is authorized, the email/calendar client will be connected to Office 365.

What is modern authentication?

If your email/calendar client uses modern authentication, your credentials are not sent to Office 365 (Exchange Online). Instead, you'll be redirected to the familiar NetID Login screen. If your account is protected by Duo MFA, you will be required to confirm your login. Your client may maintain a connection to Office 365 with an OAuth token, so you may not be required to use NetID Login each time you use the client.

Which clients require basic authentication?

Office 365 does not support modern authentication with IMAP, POP, and SMTP protocols. If you're using an IMAP client like Thunderbird or if you POP your email to Gmail, login is completed via basic authentication. Office 365 allows for either basic or modern authentication with Exchange Web Services (EWS) and Exchange ActiveSync (EAS). Depending on support within your email/calendar client, you may be required to use basic authentication to use EWS or EAS.

Which clients are capable of modern authentication in Office 365?

The following clients are capable of authenticating to Office 365 Exchange Online with modern authentication:

  • Outlook on the web
  • Outlook for Windows (current version)
  • Outlook for Mac (current version)
  • Outlook App for Android
  • Outlook App for iOS version 10.x and greater
  • Mail app on iOS 11.x+
  • Mail app on Mac OS 10.14 (Mojave) and later

How is basic authentication less secure than modern authentication?

Basic authentication in Office 365 is less secure for multiple reasons:

  • If your credentials (NetID username and password) are compromised, they can be used to access your mailbox or to send email from your account. Since basic authentication is not protected by multi-factor authentication, even those enrolled in Duo MFA are at risk.
  • Office 365 basic authentication can be used to verify usernames and passwords via credential stuffing, brute force and password spray attacks. If verified, then the credentials can be used to access other systems/services.

How long will Microsoft support basic authentication in Office 365?

Microsoft has already discontinued support for basic authentication with Outlook REST API. Microsoft has announced an end of support for basic authentication with EWS, EAS, POP, IMAP, Remote PowerShell (RPS) on 10/13/2020. Support for basic authentication with Office 365 SMTP is expected to continue beyond 2020.

Important: Microsoft Pushes Removal of Basic Authentication from Exchange Online to Mid-2021. Learn more.

To manage this feature, please review the Office 365 - Manage Password Security article.

How can I reconfigure Exchange to use modern authentication on my devices?

To begin using modern authentication through exchange, open a desktop or mobile email client, remove your UW Madison email address, and then re-add your UW Madison email address. When authenticating the account, you should receive a pop up or be redirected to UW Madison's secure login portal, which is the only time you should enter your password.

Information regarding how to configure specific mail clients can be found in:

  • Office 365 (Outlook for Windows) - Configure Outlook
  • Office 365 (Outlook for Mac) - Configure Outlook
  • Office 365 (Outlook for Android/iOS) - Configuring the Outlook app for Android/iOS
  • Office 365 (Apple Mail / Calendar) - Configure Apple Mail / Calendar on Mac OS 10.8
  • Office 365 (Apple Mail / Calendar) - Configure Apple Mail / Calendar on Mac OS 10.9
  • Office 365 (Apple Mail / Calendar) - Configure Apple Mail / Calendar on Mac OS 10.10
  • Office 365 (iOS) - Configure the native email/calendar app for iPhone or iPad
  • I'd like to learn more about Office 365 authentication.

    If you'd like to learn more about basic and modern authentication in Office 365, please review the following documents:

    PCS Support Staff:

    Additional details on MS's decision to postpone removal of basic auth to mid-2021.

    See Also:

    Keywords:microsoft office 365 office365 o365 email calendaring owa mapi eas ews imap pop3 smthauth smtp auth activesync exchange web services standards outlook on the web app owa security password authentication authn authorization authz basic modern modernauth basicauth duo netid login sso single sign on credentials username thunderbird eudora   Doc ID:95490
    Owner:O365 S.Group:Office 365
    Created:2019-10-31 17:10 CDTUpdated:2020-10-06 10:31 CDT
    Sites:DoIT Help Desk, DoIT Tech Store, Office 365
    Feedback:  2   0