End of Life for Basic Authentication in Exchange Online
In October, Microsoft will begin to disable Basic Authentication. We recommend that you take measures now to avoid a nasty shock on the 1st of October, 2022. You want to avoid a situation where your employees can’t receive emails on their phone.
Many companies are still using Basic Authentication for Exchange Online. This relies on a username and password for access requests, which is susceptible to security issues related to brute force attacks, password spray attacks and more. Every day that you’re still using Basic Authentication, you run the risk of being attacked.
What will Microsoft do?
From October 1, 2022, Microsoft will begin disabling Basic Authentication in its global multi-tenant service. Microsoft goes through these tenants in random order. Seven days in advance, affected companies will receive a warning and a Service Health Dashboard note about the upcoming change.
To be precise, Microsoft will disable Basic Authentication for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. Microsoft will not disable SMTP AUTH. Microsoft recommends disabling SMPT AUTH at the tenant level and re-enabling it only for the user accounts that still need it.
If you’re using Basic Authentication for one of the affected protocols, they will not be able to connect once this is turned off. The application will receive a HTTP 401 error: bad username or password. Not the kind of thing you want users to be confronted with.
Any application that uses Modern Authentication for the same protocols is not affected.
What should I do?
- Outlook for Windows: Verify the application is up to date, has the correct registry keys, and, most importantly, that the enable switch for the entire tenant is set to True. Without that setting, Outlook does not use Modern Authentication.
If a user is already signed in to another Microsoft 365 app, such as Teams, they’re already verified and chances are they won’t see a single authentication prompt. Microsoft enables this setting for customers because they disable Basic Authentication for MAPI/RPC in the tenant.
Microsoft wants to ensure that Outlook can connect to Modern Authentication once Basic Authentication is disabled. Outlook does not support OAuth with POP and IMAP. To use POP and IMAP with a client app, you’ll need another app.
- POP/IMAP: POP and IMAP both support OAuth for interactive applications, and Microsoft is introducing support for non-interactive flows.
- EWS apps: EWS only supports app access, and you can use Application Access Policies to control what an app can access. If you have apps that use EWS with Basic Authentication, you’ll need to change the code. Many partner apps have support for Modern Authentication, you just need to adjust your configuration or update to the latest version. Do that as soon as possible!
- Exchange ActiveSync: All native apps on up-to-date devices support Modern Authentication, but many users’ devices still use Basic Authentication. If you’re using an MDM/MAM solution, use it to deploy new profiles.?If you don’t have MDM/MAM, delete the account and add it again from the device, and it will automatically switch to Modern Authentication.
- PowerShell scripts: If you have a script that you need to run, follow this guide to use Modern Authentication in your scripts.
- Reporting Web Services: Support for OAuth has already been rolled out (completed at the end of May). Basic Authentication will be disabled as of October 1.
- Microsoft Teams Rooms: Make sure everyone is using Modern Authentication by following these steps.
How do you know if you’re still using Basic Authentication?
Azure AD sign-in events is the best place to search. Filter by client app, and then in the client app filter – select the check boxes for the affected protocols under Legacy Authentication Clients. Check out this post for more information.
Microsoft also sends monthly messages in Notification Center to tenants who use Basic Authentication, summarising their usage. These are not as accurate as Azure AD reports; they are intended as an indication of use, but if you get one, you need to investigate the cause.
For administrators, the information is available in the Azure portal.
What’s the best way to disable Basic Authentication when I’m done?
The best way to disable Basic Authentication is to use Authentication Policies to block Basic Authentication. It can also be done by using Sec-CASMailbox or Conditional Access, which prevent access to data, but they do not stop authentication as they are both active after authentication.
Microsoft is not disabling Autodiscover at this time. That’s something they’ll do once customers who depend on it use Modern Authentication, but it’s also something you can do yourself with Authentication Policies.
Update: Request temporary exception
In September, Microsoft announced that customers can re-enable basic authentications once per protocol from 1 October to 31 December 2022. Protocol exceptions on re-enabled protocols will be disabled in early January 2023, with no possibility of further use. Read Microsoft’s full explanation here.
As a Tier One Microsoft Gold Partner, we can help you overcome a range of Microsoft-related challenges, from workplace modernisation to help desk support. Read more on our services here, or go ahead and speak with a specialist, who can answer any questions you have, today.
Our specialists have the answer