The Death of IMAP for Microsoft Users

Philippe Lehoux
by Philippe Lehoux

Note: Deferred end of support date"In response to the unprecedented situation we are in and knowing that priorities have changed for many of our customers we have decided to postpone retiring Basic Authentication in Exchange Online (MC204828) for those tenants still actively using it until the second half of 2021. We will provide a more precise date when we have a better understanding of the impact of the situation." - Microsoft

No worries, Missive still supports Office 365, Outlook and IMAP. 😅

On October 13th, 2020, Microsoft will stop supporting username & password authentication for the IMAP and POP3 protocols.

In layman terms, any email application out there that connects to Microsoft email servers using IMAP or POP3 (Basic Authentication) will stop working.

Basic Authentication is a term used to explain how an application passes the username and password of a user. It can, in many scenarios, be an insecure method to handle credentials. Especially when a third-party is involved and has to store the user credentials to authenticate itself in the name of the user (cloud email application).

As an alternative Microsoft developed Modern Authentication (a Microsoft term), which is based on an authentication method called OAuth 2.0. This method doesn’t share passwords but instead uses authorization tokens (think of them as temporary passwords) to prove the identity between users and service providers.

The apps that connect to your Microsoft account will never receive the real password. You also get the possibility to revoke access to those apps from your Microsoft account. That in itself is a good thing!

The temporary death of IMAP

The problem is Microsoft deprecating Basic Authentication is the kiss of death for a lot of email clients out there supporting only the IMAP/POP3 protocols. On October 13th, 2020, the only way for email clients to sync emails with Microsoft accounts will be to implement the proprietary Outlook REST API or the Exchange protocol.

Technically, the IMAP protocol supports OAuth 2.0 authentication via an extension; it’s how Gmail works. However, it is unlikely that Microsoft will support this on time. Incoming support has been recently announced, but no ETA was provided:

To make it easier to migrate your existing applications to use OAuth 2.0, we are making significant investments to our service that include OAuth 2.0 support for POP, IMAP, and background application support for Remote PowerShell MFA module. We will be sharing more information on these new features over the coming months.

For our users, this is not a problem; our syncing engine now supports Modern Authentication via Outlook REST API. As a cloud-based email client, not having to store and encrypt user passwords is a massive improvement. It’s just sad and unproductive Microsoft didn’t, out of the gate, offer IMAP connections with the OAuth 2.0 extension.

Philippe Lehoux

CEO at Missive
Follow me on Twitter