Microsoft Ends Support for Basic Authentication
Microsoft is ending support for Basic Authentication in all tenants, regardless of usage, except SMTP Auth, on October 1, 2022. Initially, Microsoft had announced that Basic Authentication will be disabled in all tenants of its Exchange Online service in the second half of 2021, but due to the impact of the COVID-19 pandemic, the deadline was postponed. This policy affects Microsoft Exchange Online and Microsoft Exchange web services but won’t affect Exchange Server on-premises.
Microsoft will stop supporting and retire Basic Authentication for several protocols, including:
- Outlook (MAPI, EWS, RPC, and OAB)
- Exchange Active Sync (EAS)
- Remote PowerShell (RPS)
Beginning early 2022, Microsoft will begin disabling Basic Auth for some customers with usage on a short-term and temporary basis.
Why is Basic Authentication Being Disabled?
Microsoft is disabling Basic Authentication for security reasons. Basic Authentication is an old authentication method in which the client application passes the username and password – often stored on or saved to the device – with every request.
While it dramatically simplifies the authentication process, Basic Auth makes it easier for attackers to steal users’ credentials and increases the chance of credential re-use against other endpoints or services when the connections are not secured using the Transport Layer Security (TLS) cryptographic protocol. What’s more, Multi-Factor Authentication (MFA) isn’t easy to enable when you are using Basic Authentication, and so all too often, it isn’t used.
Essentially, Basic Authentication is vulnerable to brute force or password spray attacks. When users use weak passwords, which is usually the case, it’s just a matter of time before their account is compromised. Every day Basic Auth remains enabled in your tenant, your data is at risk, and the best way to protect your organization’s critical data is to get your clients and apps off Basic Auth, move them to stronger and better options, and then secure your tenant.
With the move to disable Basic Auth, Microsoft is taking great steps to improve data security in Exchange Online.
Modern Authentication to Replace Basic Auth
Modern Authentication is a more secure, token-based authentication to access information. It’s based on OAuth 2.0 and Active Directory Authentication Library (ADAL, and supports additional authentication factors, including Multi-Factor Authentication, smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.
So, while the user may still provide a username and password, it’s used to authenticate with an identity provider to generate a token for access. This token has more specific information (in the form of a claim) that specifies what the requestor does and does not have access to. Tokens also expire and can be revoked, so there is more ability to govern access.
Modern Authentication in Outlook
Not all Outlook clients support Modern Auth:
- Outlook 2010 and earlier – don’t support Modern Auth. If Basic Auth is disabled in the tenant settings, these versions of Outlook won’t connect to Exchange Online mailboxes on Microsoft 365. You may need to replace old user clients that don’t support Modern Authentication.
- Outlook 2013 – enabling Modern Authentication in Outlook 2013 requires some changes to be made in the registry.
- Outlook 365, 2019, 2016 – Modern Authentication is supported by default.
How to Disable Basic Authentication in Office 365
There is more than one way to block Basic Authentication in Office 365 (Microsoft 365). For example, you can use:
- Security Defaults – turned on by default for all new tenants. This set of security-related settings disables all legacy authentication methods, including Basic Auth and app passwords. However, enabling security defaults might influence some third-party applications you use with your Microsoft 365 tenant.
- Client Access Rules – This allows you to create very specific rules to allow Basic Auth in very specific cases. You can, for example, allow basic auth for a certain AD group or IP range used in your HQ.
- Authentication policies – a tool dedicated to blocking Basic Auth. You can control those policies using PowerShell (Set-AuthenticationPolicy) or the Microsoft 365 admin center.
To enable Modern Authentication through the Microsoft 365 Admin Center, open the Microsoft 365 Admin portal, go to Settings > Org Settings > Modern Authentication and enable the option Turn on Modern Authentication and save the changes.
Monitoring for Basic Authentication
You can monitor Basic Authentications using the sign-in option (scroll down to monitoring) in the Azure AD Portal. This returns all logins (successful and failed) of all clients in Azure AD, and for a large organization, this means a lot of data. To simplify the process, you can use the Add Filters button to narrow down the information and only show information regarding Basic Auth.
- Click Add Filter
- Select Client App
- Click Apply
Then click on “Client App: None Selected” and select all options except Browser and Mobile Apps and Desktop Client.
This will show all basic authentication logins in your tenant. You can click on a row to see specific details like date/time, user information, application information, and the user agent string. This reveals which client application is used.
Migrating from Basic Auth to Modern Authentication
Once you have eliminated Basic Authentication from your landscape and have verified there are no longer any clients attempting to authenticate with legacy protocols to Exchange Online, you can shut the door permanently and restrict Basic Authentication from your tenant using an authentication policy that disables Basic Authentication for users that have this policy applied.
You can restrict Basic Authentication from Exchange Online either on a per-user basis or set it as the default for the entire organization. The best course is generally to do this with a pilot set of users and, assuming there are no issues, eventually expand it to the entire tenant.
Besides Exchange Online, SharePoint Online and Skype for Business Online could also be using Basic Authentication. During the transition, you might want to consider moving those workloads to Modern Authentication as well.
Microsoft disabling Basic Authentication can greatly impact your organization if your clients are still using this outdated form of authentication. Once Basic Auth is disabled, all applications which use this legacy authentication protocol to access Exchange Online will stop working.
Servcom USA can help ensure a seamless transition to Modern Authentication before Microsoft disables Basic Auth. We can help you identify old user clients that need to be replaced and work with you to decide what will happen regarding application and device access to Exchange Online. Contact us today for any Microsoft support and Microsoft networking needs your business may have!
Thanks to our colleague James Forbis with Cincinnati IT services company 4BIS for his help with this research.