Microsoft sets date to turn off Basic authentication in Exchange Online
Microsoft announced in 2021 that it would turn off Basic authentication for all Exchange Online tenants in Microsoft 365. With COVID changing everything, the deadline has been extended. But Microsoft has now set a specific date, announcing that “Effective October 1, 2022, we will begin to permanently disable Basic authentication in all tenants regardless of their use except SMTP authentication. “. What does this mean to you? For those new to Microsoft 365, Basic authentication allows users to sign in to a mailbox using only a username and password. The reason for the shutdown is that it will prevent accounts from being brutally forced into or falling victim to password spray attacks. The policy does not affect on-premises Exchange Server.
Every day, Basic authentication remains enabled in your tenant, your data is at risk, so your role is to take your customers and apps out of Basic authentication, move them to stronger and better options, and then to secure your tenant, before us.
–Microsoft Exchange Team
Modern authentication will supplant basic authentication
Modern authentication is what you and your organization should use in the future. If you’re running Exchange 2016 and later and have a hybrid run, you can enable modern authentication in Exchange and Microsoft 365, but this discussion is outside the scope of this article. To turn off Basic authentication, your customers must support the new authentication method. On docs.microsoft.com, they provide a list of supported clients, and you should check it from time to time to make sure you meet the requirements. Here is the link to the article.
The clients they have listed are as follows:
- Outlook 2016 for Mac or higher
- Outlook 2013 and higher
- Outlook on iOS and Android
- Email app for iOS 11.3.1 or higher
If you go to the Admin Portal, you should notice the announcements about Basic Authentication. You may find that Microsoft has already disabled it on your tenant, or it will disable Basic authentication. If you’re not prepared, you could end up with a pretty busy day or week to troubleshoot. Note that Basic authentication is disabled for several protocols, including:
- Remote PowerShell
- Exchange Web Services
- Office Address Book
- SMTP authentication
You can re-enable basic authentication, but only temporarily
As you can see, the list is long and if Microsoft has disabled Basic authentication in your tenant, you can enable it again. But when the time comes next year that it comes to the end of its life, it will be permanently extinct. Here is a sample post in the admin center:
For those who are concerned about the security of Basic Authentication, the question is, “How do I turn off Basic Authentication?” You have a few options. Here are a few:
- Authentication policies
- Enabling security defaults (this option is automatically enabled for new Microsoft 365 tenants)
- Client access rules
With authentication policies, you can create a new policy with PowerShell and then apply the policy to all users who block legacy authentication methods.
Enabling Security Defaults
Enabling security defaults can be done from Azure Active Directory. From the Microsoft 365 admin center, you can expand Admin centers on the left, then click Azure Active Directory, which will open a new page and ask you to sign in with an account that is a global admin. Once you’ve signed in, you’ll be greeted with the main Azure AD page. Click Azure Active Directory below:
Once you click on Azure Active Directory (Arrow 1), the middle section will change and present you with the list of options. To select Properties (Arrow 2) and at the bottom of the page where it says “Access management for Azure resources”, then click Manage default security settings (Arrow 3). This will bring up a menu on the right side (arrow 4). As you can see my tenant is set to No. Once you have selected the Yes button, the Save button which is grayed out will activate and you can click on it.
This will launch a task in Azure AD, and you can see in the notification section at the top that there is one listed. Now that I enabled it on my tenant and tried to log into one of the admin centers, I was asked to configure Azure AD multi-factor authentication and conditional access, which asked send a text message to my phone.
Now that we have enabled the default security settings, Basic authentication is disabled. To learn more about security defaults, you can refer to this Microsoft documentation page.
If you go to the Microsoft 365 admin center and click Settings then Organization settings and scroll down until you see Modern authentication, you will see the message on the right side if default security settings are enabled:
If you want to view the basic authentication connection via a report, click on the penultimate link in the right block called View Basic authentication connection reports in the Azure portal. This will bring up a login page for Azure Active Directory again and you can view the reports. This will give you an indication of how many users or apps are still using Basic authentication so you can plan your change.
If Microsoft has turned off Basic authentication and it affects your organization, you can turn it back on while you switch to modern authentication. Don’t leave the switch to modern authentication at the last minute, as you might run out of time. But the main reason you should switch to Modern Authentication ASAP is that your data is at risk with Basic Authentication.
Featured Image: Shutterstock