PSA: Microsoft Exchange Online to Drop Basic Authentication Support in October

Cloud Computing

Microsoft is getting ready to drop support for Basic Authentication in its Exchange Online e-mail service. The company is reminding customers that it will begin to permanently disable this feature for select protocols in its multi-tenant service worldwide starting October 1, 2022.

Essentially, Basic Authentication means that an application provides a user name and password for client access requests. It is a legacy authentication mechanism typically used by apps to connect to services, servers, and APIs. Basic Authentication is relatively easier to configure, and it’s turned on by default on various services and servers.

However, Basic Authentication makes it makes for threat actors to steal user credentials, and it’s also subject to password spray attacks. Moreover, this outdated industry standard doesn’t allow organizations to enforce multifactor authentication (MFA). Microsoft says that turning off Basic Authentication should help improve the security of its Exchange Online service by preventing attackers from compromising user accounts.

“As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing. We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack,” the Exchange team explained.

Microsoft Exchange Online to Drop Basic Authentication Support in October

Microsoft to disable Basic Authentication for specific protocols in Exchange Online

Microsoft has noted that it plans to end Basic Authentication support for most protocols in Exchange Online, such as POP, IMAP, RPC, MAPI, Remote PowerShell, Exchange Web Services (EWS), as well as Offline Address Book (OAB). The company has already disabled SMTP AUTH for all Office 365 tenants who do not use it. It advises organizations to turn off the protocol at the tenant level and only enable it for specific employees as needed.

The Redmond giant plans to provide IT Admins a 30-day advance notice via Message Center notifications prior to disabling Basic Authentication in their tenants. “There is no way to request an exception after October. Tenant selection is random, and we cannot put your tenant to the back of the queue to give you more time or change your settings on any specific date,” the Exchange team added.

Microsoft recommends customers to switch their email clients and apps to modern authentication (OAuth 2.0 token-based authorization) methods. The firm has provided some guidelines to help IT Pros prepare for this change, and you can check out the blog post for details.