If 2 factor authentication is enforced, this is a way to get around it (needed for provisioning Backup365 in some instances). Or if you want to perform a mailbox migration ... mig wiz and other tools won’t work with basic auth disabled.


  • Office 365 account with Global admin access, or the ability to get it.
  • Powershell access.


You need to be on Windows and you must use Edge or I.E for this to work. It is worth first testing that you cannot login to O365 powershell by following ne/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps. If you get an access denied error, try the following.

You will use this again later to test that the fix has been applied (login success) Steps 1 to 8 are a summary of: mfa-connect-to-exchange-online-powershell?view=exchange-ps. Each command either raises an error, or displays/returns nothing on success.

  1. Open Edge or I.E and navigate to and login as a global administrator for any tenant. You can use your own account, it doesn't have to be the tenant we want to allow basic auth for.
  2. Click admin in the menu
  3. Select the Exchange admin center:
  4. In the new tab select hybrid then the second configure option.
  5. Select run/open when prompted and it will install and open powershell.
  6. Enter command, where masterImpersonationEmail is the master account email address in quotes.
    Connect-EXOPSSession -UserPrincipalName "masterImpersonationEmail"
  7. Enter the master impersonation account password when prompted
  8. Enter 
    New-AuthenticationPolicy -Name "Enable Basic Auth for EWS"
  9. Enter
    Set-User -Identity "masterImpersonationEmail" -AuthenticationPolicy "Enable Basic Auth for EWS"
  10. For each RunspaceID in the below image enter command
    Set-AuthenticationPolicy -Identity "Enable Basic Auth for EWS" -AllowBasicAuthWebServices

It took approx 3 hours for the changes to apply, but may take anywhere up to 24 hours. You can test it is complete by following: ershell/connect-to-exchange-online-powershell?view=exchange-ps to login to the master account with in a separate powershell command prompt. Once this is done in Converge you can click the re-apply impersonation button.