Microsoft started switching off Basic Authentication support for Exchange Online customers back in October. The company announced yesterday that it’s killing off Basic Authentication for the Autodiscover service on December 31, 2022.
The Autodiscover protocol allows client applications to get the configuration data required to communicate with the Exchange Server. It’s used by Outlook, Exchange ActiveSync, and other Exchange Web Services (EWS) clients.
For instance, the protocol gets invoked when a user adds a new Exchange account to Microsoft Outlook. The user provides their email address and password, and Outlook uses Autodiscover to retrieve all other details required to set up the client.
Last year, security researchers discovered a design flaw in the Autodiscover protocol that allowed attackers to harvest domain credentials. Microsoft claims that this upcoming change should help to secure customers’ accounts and sensitive information.
However, it’s important to note that Microsoft is not deprecating the Autodiscover protocol itself. This release will only remove the capability that allows users to authenticate to the protocol via insecure methods like username and password.
“We’re starting right away with the tenants with no Basic auth usage at all in 2022, and then in early 2023 (as Basic auth for related protocols is permanently disabled), we will move on to everybody else. If you re-enabled Basic auth in your tenant, or took the option to request more time, we’ll turn off Basic auth for Autodiscover after that extension expires. It’s going to take a few weeks to roll this change out. No tenant will be excluded,” the Exchange team explained.
Microsoft notes that customers will be unable to re-enable Autodiscover for end users in their tenants. The company recommends IT admins to plan their deprecation process to avoid any disruptions in the workflow.