For many years, applications have used Basic authentication (also known as Legacy authentication) to connect to servers, services, and API endpoints. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services and is simple to set up.
Simplicity isn't at all bad, but Basic authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services. Furthermore, the enforcement of multi-factor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled.
Basic authentication is an outdated industry standard. Threats posed by it have only increased since Microsoft originally announced that they were going to turn it off. There are better and more effective user authentication alternatives.
Kick actively recommends that customers adopt security strategies such as ‘Zero Trust’ (Never Trust, Always Verify), or apply real-time assessment policies when users and devices access corporate information. These alternatives allow for intelligent decisions about who is trying to access what from where on which device rather than simply trusting an authentication credential that could be a bad actor impersonating a user.
With these threats and risks in mind, Microsoft are taking steps to improve data security in Exchange Online.
What's changing?
Microsoft are removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.
They are also disabling SMTP AUTH in all tenants in which it's not being used.
This decision requires customers to move from apps that use Basic authentication to apps that use Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many benefits and improvements that help mitigate the issues in Basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they are issued, so they cannot be reused. Enabling and enforcing multi-factor authentication (MFA) is also simple with Modern authentication.
When will this change take place?
Microsoft have already started making this change. New Microsoft 365 tenants are created with Basic authentication already turned off as they have Security defaults enabled.
Beginning in early 2021, Microsoft started to disable Basic authentication for existing tenants with no reported usage. Microsoft always provide Message Center notifications to any customer prior to Basic authentication being disabled in their tenant.
In September 2021, Microsoft announced that effective 1 October, 2022, that they would begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used.
Impact to messaging protocols and existing applications
This change affects the applications and scripts you might use in different ways.
POP, IMAP, and SMTP AUTH
In 2020, Microsoft released OAuth 2.0 support for POP, IMAP, and SMTP AUTH. Updates to some client apps have been updated to support these authentication types (for example, Thunderbird), so users with up-to-date versions can change their configuration to use OAuth. There is no plan for Outlook clients to support OAuth for POP and IMAP, but Outlook can connect use MAPI/HTTP (Windows clients) and EWS (Outlook for Mac).
Application developers who have built apps that send, read, or otherwise process email using these protocols will be able to keep the same protocol, but need to implement secure, Modern authentication experiences for their users. This functionality is built on top of Microsoft Identity platform v2.0 and supports access to Microsoft 365 email accounts.
SMTP AUTH will still be available when Basic authentication is permanently disabled on October 1, 2022. The reason SMTP will still be available is that many multi-function devices such as printers and scanners can't be updated to use Modern authentication. However, we strongly encourage customers to move away from using Basic authentication with SMTP AUTH when possible. Other options for sending authenticated mail include using alternative protocols, such as the Microsoft Graph API.
Exchange ActiveSync (EAS)
Many users have mobile devices that are set up to use EAS. If they're using Basic authentication, they will be impacted by this change.
We recommend using Outlook for iOS and Android when connecting to Exchange Online. Outlook for iOS and Android fully integrates Microsoft Enterprise Mobility + Security (EMS), which enables conditional access and app protection (MAM) capabilities. Outlook for iOS and Android helps you secure your users and your corporate data, and it natively supports Modern authentication.
There are other mobile device email apps that support Modern authentication. The built-in email apps for all popular platforms typically support Modern authentication, so sometimes the solution is to verify that your device is running the latest version of the app. If the email app is current, but is still using Basic authentication, you might need to remove the account from the device and then add it back.
If you're using Microsoft Intune, you might be able to change the authentication type using the email profile you push or deploy to your devices. If you are using iOS devices (iPhones and iPads) you should take a look at ‘Add e-mail settings for iOS and iPadOS devices’ in Microsoft Intune.
Exchange Online PowerShell
Since the release of the Exchange Online V2 PowerShell module (abbreviated as the EXO V2 module) it's been easy to manage your Exchange Online settings and protection settings from the command line using Modern authentication. The EXO V2 module uses Modern authentication and works with multifactor authentication (MFA) for connecting to all Exchange-related PowerShell environments in Microsoft 365: Exchange Online PowerShell, Security & Compliance PowerShell, and standalone Exchange Online Protection (EOP) PowerShell.
The EXO V2 module can also be used non-interactively, which enables running unattended scripts. Certificate-based authentication provides admins the ability to run scripts without the need to create service-accounts or store credentials locally.
Administrators who still use the old remote PowerShell connection method or the older Exchange Online Remote PowerShell Module (V1), are encouraged to begin using the EXO V2 module as soon as possible. These older connection methods will eventually be retired, either through Basic authentication disablement or the end of support.
Exchange Web Services (EWS)
Many applications have been created using EWS for access to mailbox and calendar data.
In 2018, Microsoft announced that Exchange Web Services would no longer receive feature updates and recommended that application developers switch to using Microsoft Graph.
Many applications have successfully moved to Graph, but for those applications that have not, it's noteworthy that EWS already fully supports Modern authentication. So, if you can't migrate to Graph yet, you can switch to using Modern authentication with EWS, knowing that EWS will eventually be deprecated.
Outlook, MAPI, RPC, and Offline Address Book (OAB)
All versions of Outlook for Windows since 2016 have Modern Authentication enabled by default, so it's likely that you're already using Modern authentication. Outlook Anywhere (formerly known as RPC over HTTP) has been deprecated in Exchange Online in favour of MAPI over HTTP. Outlook for Windows uses MAPI over HTTP, EWS, and OAB to access mail, set free/busy and out of office, and download the Offline Address Book. All of these protocols support Modern authentication.
Outlook 2007 or Outlook 2010 cannot use Modern authentication and will eventually be unable to connect. Outlook 2013 requires a setting to enable Modern authentication, but once configured, Outlook 2013 can use Modern authentication with no issues. Outlook 2013 requires a minimum update level to connect to Exchange Online and Outlook for Mac supports Modern Authentication.
Want to know more about the impact on your business? Get in touch with our Support Team today.