Exchange Online Basic Authentication Deprecation
Purpose:
The purpose of this Change has only ever been to protect your data and accounts from the increasing number of attacks which we see that are leveraging basic auth.
Notification from the Message Center:
Microsoft has announced to turn off basic authentication for specific protocol in Exchange online from October 1, 2022.
The following protocols that are in scope for disablement
- MAPI
- RPC
- Offline Address Book (OAB)
- Exchange Web Services (EWS)
- POP
- IMAP
- Exchange ActiveSync (EAS)
- Remote PowerShell online
- SMTP AUTH
Basic Authentication vs Modern Authentication:
Basic Authentication uses a username and password, which is transmitted from the requesting application each time access requests are made to a service, for example, Exchange Online, Salesforce, or Box. The username and password used to authenticate are often stored on the requesting device, for example a browser, making it easier for the attackers to capture and reuse those stolen credentials against other services.
Modern Authentication is based on ADAL (Active Directory Authentication Library) and OAuth 2.0 protocols. The term “Modern Authentication” describes Federated Identity Management. Federated Identity Management moves away from username and passwords being directly transmitted from the requester to the service. It instead leverages token-based requests that are generated by an Identity Providers (IdP), for example IBM Verify, Microsoft Azure AD, Okta, and Ping. IdP’s transmit these tokens to the service from the requesting user or device. The tokens are stored at the device rather than a username and password. Multifactor Authentication (MFA), Password less, and Single Sign-On (SSO), are all components of Modern Authentication
One-Time Re-Enablement opportunity:
Microsoft announced that they are giving customers one last chance to request a three-month extension to continue using basic authentication before the guillotine finally descends.
Basic authentication will remain enabled until Dec 31st, 2022
Avoiding Disruption:
If you already know you need more time and wish to avoid the disruption of having basic auth disabled you can run the diagnostics during the month of September, and when October comes, we will not disable basic for protocol(s) you specify. We will disable basic for any non-opted-out protocols, but you will be able to re-enable them (until the end of the year) by following the steps below if you later decide you need those too.
In other words – if you do not want basic for a specific protocol or protocols disabled in October, you can use the same self-service diagnostic in the month of September. Details on this process below
Diagnostic Options:
used the self-service diagnostic tool to re-enable basic auth for a protocol that had been turned off, or to tell us not to include them in our proactive protection expansion program. We’re using this same diagnostic again, but the workflow is changing a little.
Timelines:
Microsoft will be deprecating Basic Authentication in all tenants on 1 Jan 2023.