October 1, 2022, will kick off the period in which Microsoft Basic Authentication (aka Proxy or Legacy Authentication) protocols will be permanently disabled for Exchange Online (postponed from Oct 2020).
WHAT IS BASIC AUTHENTICATION?
Basic Authentication is a primitive authentication method where credentials (typically a username and password) are sent automatically along with every request to verify it. In the newly created Microsoft 365 tenants (i.e., tenants created after Oct 22, 2019), Basic Authentication is turned off by default as they have security defaults enabled.
WHY IS BASIC AUTHENTICATION BEING DISABLED?
According to the Microsoft Exchange team, it’s not only outdated – it’s unsafe. Basic Authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS) because this method often stores credentials locally. This method increases the risk of those stolen credentials being reused against other endpoints or services. It has also made the enforcement of multifactor authentication (MFA) complicated or in some cases, impossible to use when Basic Authentication is enabled and unless the protocols are fully disabled, an attacker could use them to bypass the MFA requirement for M365 altogether.
According to the Exchange team, Basic Authentication is the most common way users are getting compromised, and these types of attacks are escalating. Threats have significantly increased since Microsoft originally announced they were going to turn it off.
AM I USING BASIC AUTHENTICATION?
Modern authentication displays a web-based login page:
Basic Authentication presents a dialog credential modal box:
On a mobile device, you’ll see a similar web-based page when you authenticate if the device is trying to connect using Modern authentication.
You can also check the connection status dialog box, by pressing CTRL + Right Click on the Outlook icon in the system tray and choosing Connection Status. When using Basic authentication, the Authn column in the Outlook Connection Status dialog shows the value of Clear.
WHAT IS RECOMMENDED
There are several options for organizations still leveraging Basic Authentication for Microsoft Exchange Online. Our recommendation is to use one of these techniques listed below rather than opting out entirely. While opting out is an option, it should be a last resort.
- Review the areas to identify where Basic Authentication may be used in your organization. Once you have an idea of the users and clients you know are using Basic authentication, come up with a remediation plan.
- Upgrading client software, reconfiguring apps, updating scripts, or reaching out to third-party app developers to get updated code or apps.
- Employ workarounds. There may be other ways to achieve desired outcomes such as leveraging other technologies or changing processes.
- Apply for an “opt-out” exception with Microsoft: As a last resort, exceptions can be applied for prior to September 1st, 2022.
If you’re still unsure or have questions contact us for Microsoft Business Solutions and more information about our services or schedule a consultation with one of our Microsoft-Certified Experts. We can also help you with other Office 365 migration tasks such as email management, security compliance reviews, and more.