How to migrate Basic Authentication devices/users to Modern Authentication

A recent blog post explaining how to identify which users/devices are still using Basic Authentication took off on Reddit and there were several comments asking how to handle the legacy clients. So we decided to document a few suggestions on how to move legacy clients into Modern Authentication.
These are the 3 most common devices on Basic Authentication:

  • Users using old email clients or not properly configured (like iPhone/iOS)
  • Scanners/Printers using SMTP
  • Software which sends email through legacy protocols, can be: CRM, sending Newsletters, Marketing campaigns,etc

Below is a straight to the point list on how to handle each of these scenarios, we also have a Web App which will monitor for legacy clients and will notify you whenever one connects:

How can I move users with iPhone or macOS to Modern Authentication

Update July 26th: Microsoft probably realised the amount of support requests they would get from iOS users which are still using Exchange ActiveSync through Basic Authentication. With Apple's help they've launched a small fix which will move the devices automatically to Modern Authentication (OAauth) as long as the devices are running the latest iOS 15.6/macOS Monterey 12.0 and tenant admins follow these steps.

  • First, all iPhones must be running at least iOS 15.6 (launched July 20th)
  • Second, the iOS Accounts App must have tenant wide permission given by Admins so it can exchange the user password for an OAuth token.
  • To provide the required permissions, access this link using an admin account and grant access to all tenant. iOS-account-iphone-oauth-automatic-microsoft-app-permissions

To confirm everything worked open Azure AD -> Enterprise Applications -> All applications page and search for "iOS Accounts".

portal azure ad ios Accounts App

Click on the App entry and on the left side click "Permissions" and make sure you have granted consent, otherwise click the Blue Button "Grant Admin consent". Please note the blue button will always be there even after you've granted permissions

basic authentication ios app permissions fix

That's it, next time the devices connect they should automatically migrate themselves to Modern Authentication (OAuth). Use our Web App which monitors daily for new Basic Authentication devices and receive a notification to make sure coming October there aren't legacy protocols still running.

More details on Microsoft blog post about the iOS 15.6 update

The other option for devices not running the required iOS versions is to Remove and Re-add the account by selecting "Sign In" and not "Configure Manually".

Just a note of caution, when removing the email account we had users loosing some of their contacts because they were being synced with Exchange and when we re-added the account most of the time they would come back, but in some situations they didn't, so we recommend making sure Contacts are backed up.

steps for iOS modern Authentication
steps 2 for iOS modern Authentication
steps 3 for iOS modern Authentication
steps 4 for iOS modern Authentication
steps 5 for iOS modern Authentication
steps 6 for iOS modern Authentication

I have devices (scanners, printers, etc) sending emails through SMTP connection with Exchange Online

On this subject Microsoft decided, for now, not to force Modern Authentication: "SMTP AUTH will still be available when Basic authentication is permanently disabled on October 1, 2022"

As long as you were using it before the deadline, you'll be able to keep using afterwards. There are just a few things you need to check:

  • Your device must be compatible with TSL 1.2 or above: This means you must enable TLS/StartTLS option, the connection port can be either 587 (better) or 25.
    If you only have port 465 as an option, it won't work.
  • Make sure Authenticated SMTP option is enabled under the email account used on the device.
    Search for the device email on the Admin page then under the user settings on the Mail tab click "Manage email apps"
    mail tab microsoft 365 auth stmp
    microsoft 365 mail clients auth smtp

I'm using a third party software which connects to our mailboxes using legacy protocols (IMAP, POP3, SMTP)

You'll need to change how the software connects to your tenant by authenticating the connection through OAuth

This basically means using Microsoft Graph API to retrieve and send email with the help of an authentication token. Using OAuth is not hard, but it will require development or at least selecting this authentication option on your third party software

The required permission levels and a guide on how to do POP3,SMTP and IMAP through OAuth can be found on Microsoft Documentation.

Over here