Three PowerShell Scripts That Find Basic Auth in Every Tenant Before Microsoft Pulls It
TL;DR
- Effective October 1, 2022, Microsoft permanently disables basic authentication in all tenants regardless of usage, with SMTP AUTH the only protocol that can be re-enabled afterward.
- Beginning in early 2022, Microsoft will pick tenants and switch off basic auth for all affected protocols except SMTP AUTH for 12 to 48 hours at a time.
- The affected protocols are Exchange Web Services, Exchange ActiveSync, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB.
- Three open-source PowerShell scripts use the Secure Application Model to report basic auth sign-ins and settings across every customer tenant an MSP manages.
- SMTP auth can be disabled at the tenant level and re-enabled per user, which keeps copiers and printers working while closing the door everywhere else.
Somewhere in your customer base there is a copier, a ticketing system, or a line-of-business app still signing in with a username and password over a legacy protocol. Microsoft has now put dates on when that stops working, and the early ones are closer than October 2022. This post covers what Microsoft announced in September 2021 and shares a set of multi-tenant PowerShell scripts we built to find basic auth across every customer you manage.
The full announcement: Basic Authentication and Exchange Online, September 2021 Update (opens in new tab)
What did Microsoft actually commit to?
- The scope covers Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB.
- Effective October 1, 2022, Microsoft begins permanently disabling basic auth in all tenants, regardless of usage. The one exception is SMTP AUTH, which can still be re-enabled after that date.
- The part that should worry you most: beginning in early 2022, Microsoft will selectively pick tenants and disable basic auth for all affected protocols except SMTP AUTH for a period of 12 to 48 hours. You can request that specific protocols not be turned off on a per-tenant basis; instructions are in the announcement linked above.
Those temporary shutoffs mean "we will deal with it next year" is not a plan. A tenant you have not audited can lose a working integration for two days with no warning.
Where basic auth usually hides
Before the scripts, the remediation picture:
- Inventory first. Identify basic auth within your customer tenants. The multi-tenant reporting scripts below do this across your whole base.
- SMTP auth deserves early attention even though Microsoft is not disabling it tenant-wide until October 2022:
- You can disable SMTP auth at the tenant level and re-enable it per user or per account, as described in Securing Authenticated SMTP in Exchange Online (opens in new tab).
- For copiers and printers, look at options 2 or 3 in How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 (opens in new tab).
- PowerShell can confirm whether SMTP auth is enabled or disabled at the tenant level: Enable or disable SMTP AUTH (opens in new tab).
- Check your ticketing systems. Any helpdesk or PSA pulling mail over IMAP needs a modern auth path before the shutoff reaches it.
The reporting toolkit: three scripts, every tenant
We published a GitHub repository built to help MSPs report basic authentication across all customers under management. It consists of three PowerShell scripts:
- Audit_Log_Activity.ps1 (opens in new tab) uses Azure AD sign-in logs to surface every basic auth sign-in within a 30-day window. Requires customers to have an Azure AD P1 license.
- Get_basicAuth_settings.ps1 (opens in new tab) uses Exchange Online PowerShell to look for tenant-wide basic auth settings.
- SMTP_auth_disabled.ps1 (opens in new tab) uses Exchange Online PowerShell to check the tenant-wide SMTP auth setting.
What you need before running them
The scripts authenticate through the Secure Application Model, which gives you a headless connection into all of your customer environments. You will need to gather the tokens and GUIDs it produces. Kelvin Tegelaar at CyberDrain maintains the script that sets this up: Create-SecureAppModel.ps1 on GitHub (opens in new tab).
Audit_Log_Activity.ps1: who is still signing in the old way
Make sure your app registration carries this permission:
Microsoft Graph => AuditLog.Read.All (Delegated)
The script walks each customer tenant, looks for basic auth sign-ins, and presents them on screen:

It also generates a CSV listing every basic auth sign-in found across all customers, ready for remediation planning or a customer conversation:

Get_basicAuth_settings.ps1: what each tenant allows
This script pulls all authentication settings within a tenant. In the UI, most of these live under Settings > Org Settings > Modern Authentication:

One caveat to know going in: if the settings in a tenant have never been modified, the PowerShell cmdlets do not return them. For tenants sitting on untouched defaults, this script may come back empty, so treat a blank result as "defaults in place," not "nothing to do."
SMTP_auth_disabled.ps1: the copier-and-printer check
SMTP auth tends to be the most common holdout because of devices like copiers and printers. It can be enabled or disabled at both the tenant level and the user level, and the two can disagree: a tenant can have SMTP auth off globally while individual users still have it on. This script checks the tenant-level setting for each company and reports the results to a CSV:

Run all three, and you have a defensible picture of where every customer stands before Microsoft starts flipping switches.
Frequently asked questions
Which protocols does the basic auth shutdown cover?
Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB. As of the September 2021 update, everything except SMTP AUTH stays off permanently once Microsoft disables it on October 1, 2022.
Can you stop Microsoft from temporarily disabling basic auth in a tenant during early 2022?
You can request that specific protocols not be turned off on a per-tenant basis. The instructions are in Microsoft's September 2021 basic authentication update on the Exchange Team blog.
Why does the audit log script require Azure AD Premium P1?
The script reads Azure AD sign-in logs through the Graph API to find basic auth sign-ins in a 30-day window, and sign-in log access requires customers to hold an Azure AD P1 license.
Why might the tenant settings script return nothing?
If the authentication settings in a tenant have never been modified, the Exchange Online PowerShell cmdlets do not return them. Tenants still on pure defaults will show empty results from Get_basicAuth_settings.ps1.
Legacy auth is a control, not a one-time project
Finding basic auth once is the easy part. CloudCapsule rechecks legacy authentication and 250+ other controls across every tenant you manage in about 60 seconds each, so nothing quietly turns back on.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


