Security token - One-time password

Microsoft ends support for Basic Authentication

Microsoft had announced Basic Authentication will be disabled on all protocols for all tenants of its Exchange Online service in the second half of 2021. However, due to the global impact of the COVID-19 pandemic, the deadline was postponed.

Recently, a new date was set, with Microsoft announcing “Effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth.”

In early 2022, as Microsoft begins rolling out the necessary changes to support this effort, they will begin disabling Basic Auth for some clients on a temporary short-term basis.

These tenants will be randomly selected and disabled for a period of 12-48 hours and all clients and apps using Basic Auth will be unable to connect. After this time, the protocols will be re-enabled.

Why is Microsoft disabling Basic Auth?

Simply put, Microsoft says Basic Auth is an ‘outdated industry standard’ and can be easily bypassed by cyberthreats, making it one of the biggest security risks in today’s landscape.

Basic Auth has been used for many years and is most often enabled by default. It’s quite simple to set up and essentially is the ability to log into apps, services, or add-ins with a username/password pair. Those applications store these credentials somewhere on the device or in user settings.

While Basic Auth simplifies the authentication process, it increases the risk that attackers can access credentials via brute force or password spray attacks. Password spray attacks are when common passwords are tested against pool of users in a tenant, to find one that is using a common or weak password. This allows malicious actors to gain access to the IT environment, because many users to opt for weak passwords.

Modern auth will replace basic auth

Over time Microsoft has introduced Modern Authentication to increase security for authentication and authorisation on Exchange Online.

Modern Auth is the term Microsoft uses when referring to the OAuth 2.0 authorisation framework for client/server authentication. Modern Authentication isn’t just one method for authentication between a client (computer or phone) and a server. Instead, it’s a category of several different protocols used to protect cloud-based resources.

The Modern Auth protocol doesn’t allow apps to save account credentials for Microsoft 365, instead relying on token-based claims. The user may still provide a username and password, which is used to authenticate with an identity provider, to generate an access token. The token has more information that outlines specifically what access the requester has. The tokens can expire and be revoked, increasing the level of security and protection offered.

Basic Auth vs Modern Auth

Think of Modern Authentication like a hotel key card, which can give you access to your hotel room, the gym and pool, but the coding doesn’t let you open doors to other guest rooms or the kitchen. The hotel key card is disabled when you leave and is specific to you, no one else. Modern auth only allows access to what you need when you need it.

Basic Authentication is more like the keys to a house. Unlocking the front door is the only security in your way and once in you have access to all the rooms at once. Basic auth gives access to everything the one time and isn’t efficient security control.

What happens when basic auth is disabled?

Microsoft has warned users they will no longer be providing the ability to use Basic Auth after October 2022 and to ensure any dependency on Basic Auth in Exchange Online has been removed by then.

Effectively, every app, service or program that uses Basic Auth to access Exchange Online will not work once this legacy protocol has been disabled.

The affected protocols will include:

Exchange Web Services (EWS)

POP/IMAP

Exchange ActiveSync (EAS)

Remote PowerShell (RPS)

Outlook (EWS, MAPI, RPC, OAB)

SMTP Auth

What does this mean for my organisation?

While twelve months seems like plenty of time to prepare, now is a good time to start planning for how this change will affect your business to ensure a seamless changeover before Microsoft disables Basic Auth.

You’ll need to decide what will happen in terms of application and device access to Exchange Online, and if you need to replace old user clients that don’t support modern authentication. For example, users of Outlook 2010 are using Basic Authentication now, as support for Modern Auth didn’t appear in the Office suite until Office 2013.

Office 2013 does support Modern Auth, but it’s not enabled by default and there are several changes needed to registry keys to allow it to be used by the client. Office 2013 is also no longer able to connect to Office 365 cloud resources such as Exchange Online and OneDrive for Business.

Be prepared for the future and get in touch with Steadfast Solutions today to find out how we can help you smoothly transition to modern authentication protocols and keep your business secure.