Microsoft to End Basic Authentication
on October 1, 2022
- On October 1, 2022, Microsoft plans to end support for Basic Authentication for Outlook, EWS, EAS, IMAP, POP, and RPS to access Exchange Online.
- Cybercriminals are increasingly targeting these older protocols to gain access to user accounts.
- Microsoft is urging customers to switch to Modern Authentication.
For weeks, Microsoft has been appealing to organizations using Basic Authentication to switch to Modern Authentication. Microsoft has gradually adopted this change, which it announced in mid-2019. The company is now taking a more forceful approach. It will end support for Basic Authentication for Exchange Web Services (EWS), Exchange ActiveSync (EAS), Internet Message Access Protocol (IMAP), Post Office Protocol (POP), and Remote PowerShell (RPS) in Exchange Online on October 1, 2022.
Any client applications attempting to use Basic Authentication for EWS, EAS, IMAP, POP, or RPS after that date will receive an “HTTP 401 error”. SMTP AUTH, however, will not be affected. SMTP will still be available because multi-function devices can’t use Modern Authentication. These devices include printers, scanners, and copiers. Organizations are still encouraged to transition to Modern Authentication for SMTP AUTH as soon as possible.
The oldest client that will be supported by Microsoft after the change is Outlook 2013. Outlook 365, Outlook 2016, and Outlook 2019 all support Modern Authentication and will continue to work after the change.
What Is Basic Authentication?
Basic Authentication is an outdated method of logging in to email accounts that have been used for many years. It uses a username and password to log in, and the password is sent over the internet in clear text. This means that the password can be intercepted by someone who is monitoring the connection, and it can also be stored in plain text on the email server.
Since Microsoft announced this change, there has been an increase in high-level attacks using phishing and social engineering to gain access to email accounts. These attacks are usually targeted at specific individuals or organizations and can be very difficult to detect. According to the Microsoft Exchange Team, “Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing.” This means the longer you wait to switch to Modern Authentication, the greater the risk of your account being compromised.
In addition to the security concerns, Basic Authentication does not support MFA. MFA is an additional layer of security that requires the user to enter a code from their phone or an app on their computer in addition to their username and password. This makes it much more difficult for attackers to access an account, even if they have the password.
What Is Modern Authentication?
Modern authentication is an umbrella term that refers to several different authentication methods. These methods include two-factor authentication, single sign-on, and passwordless authentication. Modern Authentication does not allow applications to save passwords in plain text. Modern Authentication uses industry-standard OAuth 2.0 tokens, which are more secure than Basic Authentication. OAuth 2.0 is an open standard that many organizations already use to authenticate users.
The Executive Order on Improving the Nation’s Cybersecurity, issued by President Biden, called for adopting these authentication methods. In response to the Executive Order, more organizations adopted modern authentication methods. Organizations that fail to do so will be at a competitive disadvantage.
How Do You Determine if You’re Using Basic Authentication?
To check if you’re using Basic Authentication, users can look at the dialog box that appears when they enter their username and password. If you see a dialog box with a dialog credential prompt with the text “Enter your user name and password for the following server”, you are using Basic Authentication. If you see a dialog box with the text “Sign in with Microsoft”, you are using Modern Authentication. If you’re still unsure which type of authentication your organization uses, you can contact an IT company or Microsoft support.
What Should Organizations Do to Prepare?
If your organization has not taken any steps to prepare for this change, you should start by inventorying all of the applications that connect to your Exchange Online environment. This includes email clients, mobile devices, and third-party applications connecting to Exchange Online. If Mobile Device Management (MDM) solutions are in place, you should also inventory which devices these solutions manage. Modern configuration profiles can be created using OAuth and deployed to managed devices.
Once you have a list of all the applications that need to be updated, you can start working with the vendors to ensure that they are compatible with Modern Authentication. You should also plan on deploying MFA for all of your users. This can be done using the Azure Active Directory or manually configuring each user account. The third step is to test your applications and ensure they work properly with Modern Authentication. Microsoft is committed to making this change as smooth as possible for its customers. However, it is important to start preparing now to avoid service disruptions.
Microsoft’s decision to end basic authentication will significantly impact organizations that rely on this protocol. While the change is not scheduled to take effect until October 1, 2022, organizations should begin planning for the transition now because Microsoft can randomly select tenants for the migration anytime. Microsoft will send a 7-day notice to tenants that will be migrated before the change is made. Once basic authentication is turned off for a tenant, there is no going back.
The digital transformation is well underway, and Microsoft is leading the charge. Speak with your IT company about possible options when Microsoft discontinues this vital service.
tech42 LLC Is Here To Help
At tech42 LLC, we are a Microsoft Partner and have been working with Microsoft products for many years. We can help your organization inventory applications, work with vendors to ensure compatibility, and deploy Modern Authentication. Our team of experts can also assist with any other aspect of your transition to Modern Authentication.