Microsoft Ends Disables Basic Authentication for All Exchange Online Clients

Microsoft announced they are turning off Basic Authentication for all Exchange Online tenants in Microsoft 365 in the second half of 2021. However, the impacts of COVID-19 changed everything, and the deadline was postponed to a later date.

Recently, Microsoft has set another definite date for the demise of Basic Authentication that all organizations leveraging Microsoft 365 need to be aware of. The company revealed they would disable Basic Auth for some clients on a temporary short-term basis. The tenants are randomly selected and disabled for between 12 to 48 hours, after which protocols are re-enabled. The policy, however, won’t affect Exchange Server on-premises. This blog focuses on the reasons why Microsoft is disabling Basic Authentication and what this means to you.

What Is the New Date for Disabling Basic Authentication?

Microsoft has set October 1, 2022, as the new date for turning off Basic Authentication in all protocols for its Exchange Online service tenants. In a statement, the company’s Online Team says that from October 1, 2022, it will start disabling Basic Auth in all tenants except for SMTP Auth.

What Is Basic Authentication?

Basic authentication or proxy authentication is an HTTP-based authentication protocol that allows apps to send credentials with every connection request made to online services, endpoints, or servers. Basic authentication in Microsoft 365 enables users to connect to mailbox using only their password and a username. Ideally, the username/ password pairs are usually stored locally on the device.

Why Is Microsoft Disabling Basic Authentication?

The reason behind this drastic action stems from cyber security concerns. Simply put, Microsoft is disabling Basic Auth to prevent accounts from being brute forced or falling victims to password spray attacks. The company reveals Basic Auth is an outdated industry-standard susceptible to a range of cyber threats that could pose severe security risks to everyone using Microsoft 365.

Basic Auth has been in use for several years and is popular due to its simple setup process. It also enables users to easily log in to apps, services, and ad-ins with a username/password pair. However, the fact that the applications store these credentials on the device increases the risk attackers could easily access credentials through password spray attacks or brute force.

Impact of the Change on Organizations and Users

Ideally, all apps, programs, or services connecting to Microsoft 365 need to authenticate themselves. Disabling Basic Authentication means all the applications using this legacy authentication protocol to access Exchange Online will stop working immediately. If you are using any of the following, you need to take some action:

  • Outlook 2010 and older: Once basic authentication is disabled, email clients won’t connect to Microsoft 365
  • Outlook 2013: You will require some changes to be made in the registry to enable modern authentication.
  • Outlook 2011 for Mac: Like Outlook 2010, Outlook 2011 for Mac doesn’t support modern authentication
  • Remote PowerShell: If you usually have unattended scripts that use basic authentication to establish a connection to Exchange Online, they will stop.
  • All third-party app, add in or mobile email clients that don’t support modern authentication will be affected.

The bottom line is that all Microsoft 365 administrators need to prepare for these changes. While some tenants might have already qualified for disabling basic authentication, others need to upgrade or update their software on several different workstations.

Modern Authentication Replaces Basic Authentication

Microsoft will replace basic authentication with modern authentication to enhance security for authentication and authorization on Exchange Online. Modern authentication or OAuth 2.0 is a category of multiple protocols for authentication used to protect cloud-based infrastructures. Unlike basic authentication, modern authentication doesn’t allow clients to save accounts credentials for Microsoft 365 on the device. It leverages token-based claims where the user provides a username and password used to authenticate with an identity provider for an access token to be generated. The token carries details outlining the level of access that the requester carries. Because the tokens expire and are easily revoked, it increases the level of security and protection in your Microsoft 365 environment.

Basic Authentication vs. Modern Authentication

Basic Authentication: Understanding the Security Issues

Even though the sudden switch from basic authentication to modern authentication is frustrating for most organizations, it is a welcome change bearing in mind the current volatility in the cybersecurity scene. Cybersecurity Ventures predicts Ransomware attacks will occur every 11 Seconds in 2021, with a cost of $20 Billion down from every 14 seconds in 2019. With basic authentication, every app, service, or add-in has to pass credentials, specifically the logins and passwords, with each request. This provides several opportunities for attackers to strike. Additionally, because basic authentication doesn’t support grading or sloping permissions, each app connecting with basic auth protocol gains access to multiple data accessed by a user. With the rise in cyberattacks targeting organizations, the best security practice is to strictly restrict access to only the data and resources needed for an application to function optimally.

Modern Authentication: The Strengths

Modern authentication prevents apps from saving Microsoft 365 account credentials. Before an app/service/client is authenticated, the user has to log in to their account via a standard Microsoft 365 login method and accept the app’s request to access their account. The access is granted via tokens which typically have a specified lifetime. In essence, the tokens are designed to provide a strictly defined permission scope that has to be accepted by the signed-in user. Additionally, modern authentication also enables the deployment of multi-factor authentication (MFA), which adds an extra layer of security.

What Is the Next Step for Your Organization?

Although 11 months seems such a long time, now is the best time for your organization to prepare for the impending changes. A robust plan is key to a seamless switch to modern authentication. The first step is to determine the applications and device access in Exchange Online and what will happen to them. You will also decide whether or not you need to replace old user clients not supporting modern authentication. If you need help to be prepared for the future, Microsoft 365 experts from Radius Executive IT Solutions are ready to hold your hand. We provide reliable MSP services customized to help you smoothly transition to modern authentication protocols and keep your business secure and efficient. Call Radius Executive IT Solutions today for any Microsoft support and Microsoft networking needs your business may have.