End of Microsoft Basic Authentication

Microsoft announced in 2021 that basic authentication would be disabled for all Exchange Online users in Microsoft 365. The deadline was postponed due to the COVID-19 pandemic. However, except for SMTP Auth, Microsoft has set a firm deadline, stating that, starting October 1, 2022, they will begin to permanently discontinue Basic Auth in all renters, irrespective of usage. What does this imply for you? For those unfamiliar with Microsoft 365, basic authentication enables users to connect to a mailbox using a username and password only. The rationale is that the move protects accounts from brute-force entry or being the target of password spray attacks.

Why is Microsoft Phasing out Basic Authentication?

Microsoft claims that Basic Authentication is an outmoded industry standard that can be easily circumvented by cyber threats, making it one of today’s top security risks. Basic authentication has been around for a long time and is generally enabled by default. It essentially allows you to log in to programs, websites, or add-ins using a username and password combination. Those applications store your credentials somewhere on the device or in user settings. While Basic Authentication makes the login process easier, it also raises the danger of hackers using brute force or password spray attempts to gain access to your credentials.

Password spray attacks occur when common passwords are checked against a tenant’s pool of users to see who is using a weak or easy password. Because many users choose weak passwords, threat actors can easily get access to their IT systems.
“Every day Basic Auth remains enabled in your tenant, your data is at risk, and so your role is to get your clients and apps off Basic Auth, move them to stronger and better options, and then secure your tenant, before we do.”
–Microsoft Exchange

Modern Microsoft Authentication

Microsoft has gradually phased in modern authentication to improve the security of authentication and authorization on Exchange Online. The technical term for the Modern Authentication authorization and authentication interface is OAuth 2.0. Modern authentication isn’t just one way for a client to authenticate with a server. Instead, it refers to a group of protocols that are designed to protect cloud-based assets.

Instead of saving your authentication credentials for Microsoft 365, the Modern Auth protocol relies on token-based requests. To produce an access token, the user submits a username and password to be used for authentication with an identity provider. The token contains additional information that specifies the level of access granted to the user. The tokens can expire and be withdrawn, enhancing the degree of security and protection provided.

Why Modern Auth Outpaces Basic Auth

Modern authentication only gives you access to what you need at the time you need it. However, Basic Authentication is more akin to a set of keys. The only security in your way is opening the front door, and once inside, you have immediate access to all of the rooms. Basic authentication allows access to everything at once and isn’t a good security measure.

Modern authentication is what you and your enterprise should adopt in the future. If you are running Exchange 2016 on hybrid, you can set up modern auth.

How to Block Basic Authentication on Exchange Online

You can disable Basic authentication by establishing and setting authentication policies for individual clients in Exchange Online. The policies indicate which client protocols are blocked from Basic authentication and prevent users from requesting Basic authentication for the specific protocols.

Basic authentication is then blocked in Exchange Online at the initial phase before the request makes it to the on-premises IdP. This technique has the advantage of preventing malicious password assaults from reaching the IdP. This might trigger account lock-outs due to illegitimate login attempts.

Exchange Online can only deny basic authorization requests for clients who already exist in the cloud environment because authentication policies function at the user level. On federated authentication, if a user does not exist in the cloud organization, their credentials are transmitted to the on-premises IdP.

What Happens When Basic Authentication is Disabled?

Microsoft has warned users that they will no longer be able to utilize Basic Auth after October 2022 and has encouraged phasing out any reliance on Basic Auth in Exchange Online before then. When Basic Authentication is removed, every app, service, or program that requires it to access Exchange Online will stop working. The impacted protocols include Remote Powershell, Exchange Online services, SMTP Auth, POP/IMAP, and Outlook.

What You Need to Know Before Starting Out

Confirm that your Exchange Online organization has modern authentication enabled. Activate or disable modern authentication in Exchange Online.

Confirm that your IT systems are compatible with current authentication. Also, make sure your desktop clients are up to date with the basic minimum of cumulative updates. See Connect to Exchange Online PowerShell for more guidelines on modern authentication for Exchange Online PowerShell.

The Outlook

While a year may seem like a long time to prepare, now is a great time to start thinking about how this change will impact your organization, so that you can make a smooth transition before Microsoft completely removes Basic Auth.

You’ll need to decide what will happen regarding applications and device access to Exchange Online and whether or not you need to replace obsolete user clients that don’t enable modern authentication. For instance, users of Outlook 2010 are presently using Basic Authentication, as support for Modern Authentication was not added to the Office suite until Office 2013. Modern Auth is supported by Office 2013; however, it isn’t enabled by default, and additional registry changes are required to activate it.

Prepare for the future by contacting TTechnijian today to find out how we can help you make a smooth transition to modern authentication procedures while keeping your organization safe. We also offer a range of other IT-managed services to optimize your business efficiency. Technijian provides IT services and IT support to organizations in LA and across Orange County in California. Our team of professionals is always ready to craft a cost-effective strategy for you. Reach out to us today!