Microsoft Ends Basic Authentication Support: What Next?
On September 20, 2019, Microsoft announced that it was planning to stop support for Basic Authentication. In other words, it would no longer be possible to transmit the username and password combination on all Microsoft APIs.
The aim was to enhance security across all Microsoft products, and the change would take effect later in 2021. However, Microsoft postponed the deadline because of the onset of the COVID-19 pandemic and its global impact.
The company has now set a new definite date for this move. It stated that starting October 1, 2022, it will begin to disable Basic Authentication for all Exchange Online tenants in Microsoft 365.
The only exception to this new development is the SMTP Auth. On the other hand, Microsoft is enabling OAuth 2.0 on all its APIs. The change is also in place and implies the industry-standard protocol for authorization.
What Does This Mean for Users?
If you’re new to Microsoft 365, Basic Authentication is the protocol that allows you to connect to a mailbox using a username and password only. The deadline extension only applies to enterprises presently using Basic Authentication with Exchange Online.
New tenants on the platform will get Basic Authentication deactivated by default. The company will also disable Basic Authentication if it detects that it’s dormant.
Organizations using Exchange Server on-premises or in “hybrid scenarios aren’t subject to Microsoft’s support change. However, those facing the end of Basic Authentication will most likely experience challenges in upgrading their systems. It’s because the change will affect their use of Remote PowerShell.
The Reason Behind Disabling Basic Authentication
The reason why Microsoft is putting an end to this is to prevent brute-force attacks on accounts. It will also prevent users from becoming victims of password spray attacks. In other words, Microsoft deems Basic Authentication an outdated industry standard that poses a risk to cybersecurity. Given how easily cyber threats can bypass it, it’s one of the most significant security loopholes in today’s digital security landscape.
According to the Microsoft Exchange team, every day that Basic Authentication remains enabled, it puts your data at risk. As such, users have a role in removing their apps from Basic Authentication and moving them to stronger and better options.
Basic Authentication has been in use for many years, with users and tenants most often enabling it by default. The protocol is easy to set up and allows users to log in to services, apps, or add-ins with a username and password combination. These applications store the login credentials somewhere on the device and user settings.
While this makes the authentication process easy, it increases the risk of attackers accessing the credentials. One method they use is password spray attacks, where the attackers try out common passwords against a pool of users in a tenant.
The aim is to find one tenant using a common or weak password. Once they do, the cybercriminals gain access to the IT environment and wreak havoc. Hackers have general knowledge that many people opt to use weak passwords.
Modern Authentication Instead of Basic Authentication
Organizations will need Modern Authentication after Microsoft disables Basic Authentication. For those running Exchange 2016 and higher and have hybrid running, they can enable Modern Authentication. They need to embrace the new authentication method to turn off Basic Authentication.
Modern Authentication or OAuth 2,0 is the new authorization framework for clients or servers. It isn’t just a method for authentication but a category of multiple protocols to protect cloud-based resources.
The Modern Authentication protocol won’t allow accounts or apps to save credentials for Microsoft 365. Instead, they will rely on token-based claims. However, the user will still have to provide a username and password to authenticate with an identity provider to create an access token.
The token carries a lot of information outlining the specific access the requester has. The permits can expire, and the system can revoke them, increasing the protection and security level.
Clients Affected by the Change
Microsoft has provided a list of clients it supports, and it’s essential to check the requirements from time to time. Some clients on the list are:
- Mail app for iOS 11.3.1 or higher
- Outlook on iOS and Android
- Outlook 2013 and higher
- Outlook 2016 for Mac or higher
Looking through the admin portal will reveal the announcements about Basic Authentication. You may find that Microsoft has already dissolved it on your tenant. Not being prepared may launch you into an arduous process of fixing issues.
Some protocols that will be affected by this change include:
- POP3
- SMTP Auth
- ActiveSync
- RPC
- MAPI
- Office Address Book
- Exchange Web services
- Remote PowerShell
- IMAP4
It’s worth noting that if Microsoft does not turn off Basic Authentication in your tenant, it’s possible to enable it again, but temporarily. However, when the time comes, and it hits the end of life, it will be gone forever.
Difference Between Basic and Modern Authentication
While the forced switch from Basic to Modern Authentication might be troublesome for some, it is a welcome move. Basic Authentication requires each app or service to pass credentials, usually a username and password, with each request.
The information remains in those applications somewhere in their settings. They create security loopholes, making it easy for attackers to gain access to the Microsoft 365 platform.
On the other hand, Modern Authentication doesn’t allow apps or services to save login credentials. For the platform to authenticate a client, service, or app, a user must log in to their Microsoft 365 account and accept a request by an app to access their account.
Access is only possible through tokens, which expire within a given time limit. They also have a strictly defined scope, which you must accept as a user. Modern Authentication also requires the use of multi-factor authentication, adding an extra layer of security.
Final Thoughts
Microsoft has warned that it will no longer be providing Basic Authentication after October 2022. Every app, program, or service that uses Basic Authentication to access Exchange Online will not work once the protocol is no longer in service.
Your organization must prepare for the future. If all this sounds like too much for you to handle, an expert can help you. At Realized Solutions, we help our clients navigate modern technology challenges, including transitioning to Modern Authentication protocols.
Contact us today to find out more on this, and for all your Microsoft support and networking needs.