M365 Roundup, October 2021: Basic Auth Gets a 30-Day Fuse
TL;DR
- In October 2021 Microsoft began sending tenants 30-day notices before turning off basic authentication for POP3, IMAP4, Remote PowerShell, EWS, OAB, MAPI, RPC, and ActiveSync, including disabling SMTP AUTH completely.
- Message Trace in the Security and Compliance Center retires after November 2021, and custom queries do not migrate to the new Exchange admin center.
- Custom queries in the new EAC Message Trace are stored per user, unlike the SCC where they were visible tenant-wide.
- Microsoft Authenticator's passwordless sign-in moved from pick-one-of-three to number matching in October 2021 to cut down inadvertent approvals.
- DKIM signing for custom domains can now be enabled directly from the Microsoft 365 Defender portal at security.microsoft.com/dkimv2.
October 2021's quiet headline is a countdown clock: Microsoft is now telling individual tenants they have 30 days of basic auth left. The rest of the month brings a retirement with a data-loss gotcha, an easier path to DKIM, a phishing-resistant tweak to passwordless sign-in, and the usual Teams polish. Deadlines first, features after.

Exchange: two retirements and a simpler DKIM
Basic auth shutoff notices are going out, SMTP AUTH included (end of life)
The notice Microsoft is sending tenants reads: 30 days from today (November 27th for tenants notified in late October) basic authentication will be turned off for POP3, IMAP4, Remote PowerShell, Exchange Web Services, Offline Address Book, MAPI, RPC, and Exchange ActiveSync, and SMTP AUTH will be disabled completely.
For alternatives to SMTP auth and multi-tenant reporting on where basic auth is still in use, see our breakdown: basic auth reporting across customer tenants.
Message Trace leaves the Security and Compliance Center (end of life)
Message Trace in the Security and Compliance Center stops working after November 2021, replaced by Message Trace in the new modern Exchange admin center. The trap is in the queries: custom queries stored in the SCC will not be migrated to the new modern EAC portal, because the two store them differently. Recreate any custom queries you want to keep in the new EAC now, alongside the default and autosaved queries you rely on.
One behavioral difference to brief your team on: in the new EAC, custom queries are stored per user. In the SCC they were stored per tenant, so one admin's custom query was visible to every other admin. In the new portal, for privacy and security reasons, each user sees only their own.
DKIM configuration gets simpler (new feature)
By default, Microsoft signs all outgoing tenant email with DKIM, falling back to the default tenant.onmicrosoft.com domain when no DKIM setting exists for a custom sending domain. This update makes it easier to switch signing to the custom domain itself, which means better email authentication. If DKIM is already enabled for your custom domains, there is nothing to do.
The feature is live as of October 2021. Enable DKIM for custom accepted domains at https://security.microsoft.com/dkimv2 (opens in new tab) or https://protection.office.com/dkimv2 (opens in new tab), following Microsoft's steps for the Defender portal (opens in new tab).

Identity: Authenticator swaps guessing for number matching
Users signing in passwordlessly with Microsoft Authenticator see a new experience once they update the app in October 2021. Instead of picking one of three numbers, users now enter the number shown on the sign-in screen. The goal is fewer inadvertent approvals of unsolicited passwordless authentication attempts, the kind attackers fish for.

Rollout: early October 2021, completing mid-October.

Teams: meeting controls get tidier
View Switcher consolidates meeting views (new feature)
All the view options scattered around Teams Meetings (Gallery, Large Gallery, Together Mode) move into a single dedicated menu called View Switcher, at the top left of the meeting window.

Rollout: late October 2021, completing mid-November.
Co-organizer role arrives (new feature)
Once enabled, a "Choose co-organizers" meeting option appears, defaulting to None. It works like selecting "Specific people" as presenters: the organizer picks from a dropdown of qualified invitees. To qualify, an invitee must be on the same tenant as the organizer's account, and up to 10 people can hold the role.
Rollout: late November 2021, completing early December.

SharePoint: site creation explains itself
The updated site creation experience helps site creators quickly understand the difference between a communication site and a team site.

The update also improves the Site permissions panel so owners and members can understand the differences between permission levels, with an information icon to hover for detail.
Rollout: early November 2021, completing for Standard release in mid-December.
Frequently asked questions
Do Message Trace custom queries carry over to the new Exchange admin center?
No. Custom queries stored in the Security and Compliance Center are not migrated, and they are stored differently in the new EAC, so anything you want to keep must be recreated by hand before the SCC version disappears after November 2021.
Who can be a Teams meeting co-organizer?
An invitee on the same tenant as the organizer's account. Organizers can assign the co-organizer role to up to 10 people, and the option defaults to None.
Do you need to act on the DKIM change if it is already enabled?
No. If DKIM is already enabled for your custom domains, nothing changes. The update just makes it easier to sign with the custom domain instead of the default tenant.onmicrosoft.com domain.
Microsoft changes something every month, your baselines should notice
A 30-day notice is easy to miss across dozens of tenants. CloudCapsule rechecks 250+ controls in every tenant you manage, in about 60 seconds each, so deprecations never become outages.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


