Microsoft 365 Mandatory Two-factor Authentication

Written By Tibby Fielding

By January 1, 2023, all Microsoft 365 applications will change from basic authentication access to a mandatory two-factor authentication. Beginning October 1, 2022, Microsoft will start randomly selecting users and disabling basic authentication access for MAPI, RPC, Offline Address book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. Users will receive a notification 7 days prior in the Message Center as well as a Service Health Dashboard notification on the day of the change. No changes will be made to SMTP AUTH. If you are not ready for this change, you can re-enable basic auth only until January 1, 2023. We do not suggest utilizing basic authentication as it keeps your data at risk. 

Two-factor authentication or multi-factor authentication is an identity and access management security method that requires two forms of identification to access data: your username and password, and a contact method. When you turn on two-step verification, every time you sign in on a device that isn’t trusted, you will have the choice to get a security code sent to your phone (SMS), email or authenticator application. We do not suggest using email.

It is strongly recommended that you begin using the two-factor authentication protocol to protect your data and avoid any attacks stemming from basic auth. For more information about the two-factor authentication rollout taking place with Microsoft products, read this Exchange Team Blog post.