Exchange ActiveSync Certificate-Based Authentication Retirement — Mobile Email Migration
Microsoft is retiring direct certificate-based authentication (CBA) for Exchange ActiveSync (EAS) in Exchange Online by end of 2026, announced May 8, 2026. Organizations relying on CBA for mobile email access must migrate to Modern Authentication (OAuth 2.0) before the deadline or face complete mobile email connectivity failure. This entry covers auditing current CBA usage, selecting a replacement authentication method, and executing a staged MDM-driven migration.
Indicators
- Mobile devices showing 'Can't Connect' errors when accessing Exchange Online email
- Exchange ActiveSync connections failing after end-of-2026 retirement deadline
- Mobile email stops working for users authenticated via client certificates
- EAS clients unable to authenticate against Exchange Online post-deprecation
- Push email no longer syncing on mobile devices using certificate-based auth profiles
- Entra ID sign-in logs showing CBA failures for Exchange ActiveSync client app
Likely causes
- Organization using direct certificate-based authentication for Exchange ActiveSync connections
- Mobile devices enrolled with client certificates via MDM for Exchange Online authentication
- No migration to an alternative authentication method performed before retirement deadline
- MDM/EMM solution (Intune, JAMF, etc.) configured to deploy certificate-based EAS email profiles
- Legacy Exchange ActiveSync profiles relying on CBA not updated prior to Microsoft deprecation
- Conditional Access policies enforcing CBA for EAS clients not updated to reflect new auth methods
Diagnostic steps
-
Audit current Exchange ActiveSync authentication policies in Exchange Online PowerShell: Run 'Get-MobileDeviceMailboxPolicy | Select-Object Name, AllowCertificateBasedAuth' to identify all policies with CBA enabled.
-
Enumerate affected devices per mailbox: Run 'Get-MobileDeviceStatistics -Mailbox <user> | Select-Object DeviceFriendlyName, DeviceType, LastSyncAttemptTime, Status' across all or targeted mailboxes to identify EAS-connected devices using CBA.
-
Review Entra ID / Azure AD sign-in logs: Filter by client app = 'Exchange ActiveSync' and authentication method = 'Certificate-based authentication' to determine the full organisational scope of CBA usage.
-
Audit MDM/EMM solution (Intune, JAMF, etc.) for email configuration profiles that deploy client certificates for Exchange ActiveSync and inventory all affected device groups and assignment scopes.
-
Review Entra ID Conditional Access policies under Protection > Conditional Access for any policies enforcing certificate-based authentication specifically for Exchange ActiveSync client apps, and note all affected users and groups.
-
Evaluate replacement authentication options: Confirm Modern Authentication (OAuth 2.0) support with your MDM vendor, validate Microsoft Authenticator app availability on target devices, and assess hybrid Modern Authentication if on-premises Exchange is involved.
-
Pilot the replacement authentication method on a defined test group: Deploy updated MDM email profiles using OAuth 2.0, validate successful mail sync, and confirm no 'Can't Connect' errors before proceeding to full rollout.
Resolution path
- Run Get-MobileDeviceMailboxPolicy to audit all EAS policies with AllowCertificateBasedAuth enabled
- Use Get-MobileDeviceStatistics and Entra ID sign-in logs to map all affected users, devices, and auth scope
- Audit MDM/EMM email configuration profiles to identify all certificate-based EAS profile deployments
- Review and update Conditional Access policies that currently enforce CBA for Exchange ActiveSync clients
- Select Modern Authentication (OAuth 2.0) with Entra ID as the replacement authentication method
- Update MDM/EMM email configuration profiles to use OAuth 2.0 and remove client certificate dependencies
- Deploy updated authentication profiles to a pilot device group and validate successful Exchange Online mail sync
- Complete organisation-wide rollout of new authentication profiles well before end of 2026 retirement deadline
- Remove and clean up legacy CBA-based email profiles from MDM after successful migration is confirmed
Prevention
- Monitor Microsoft 365 Message Center and the Microsoft 365 roadmap regularly for upcoming feature retirements and deprecation notices
- Adopt Modern Authentication (OAuth 2.0) as the enforced standard for all Exchange Online client connections, including mobile
- Avoid reliance on legacy authentication mechanisms such as basic auth or direct CBA for mobile device email access
- Maintain a current inventory of all MDM-managed email profiles, their authentication methods, and assigned device groups
- Establish a change management and deprecation response process to evaluate and act on Microsoft retirement announcements within defined timeframes
- Enforce Conditional Access policies that require Modern Authentication for all Exchange ActiveSync clients, blocking legacy auth methods
- Test and validate authentication migrations with a representative pilot group well in advance of any Microsoft-imposed retirement deadline
Tools
- Exchange Online PowerShell (Get-MobileDeviceMailboxPolicy, Get-MobileDeviceStatistics)
- Microsoft Entra ID / Azure AD Admin Center (Sign-in logs, Conditional Access)
- Exchange Admin Center (EAC)
- Microsoft Intune / Endpoint Manager
- Microsoft Authenticator App
- Microsoft 365 Admin Center (Message Center)
- Microsoft Graph PowerShell SDK