News

Microsoft Rethinks Plans To Block Basic Authentication in Exchange Online

• By Kurt Mackie
• 02/04/2021

Microsoft on Thursday announced an update to its plans to end "Basic Authentication" when used with the Exchange Online e-mail service.

Basic Authentication, which consists of supplying just a user name and password for access, was supposed to get disabled in the second half of this year for Exchange Online users. That target actually was an extended end date, as Microsoft had acknowledge the potential IT logistical issues associated with the pandemic. Now, Microsoft is taking a slightly different approach. It's still planning to end the use of Basic Authentication with Exchange Online, but if Basic Authentication is perceived as being actively used by an organization, then it won't block it.

If Microsoft perceives that an organization isn't using Basic Authentication, though, it'll move toward blocking it. In such cases, it'll give IT pros a 30-day advance notice via the Message Center portal.

The actual end date for Basic Authentication, when declared by Microsoft, will get announced with a one-year advance notification.

"When we resume this program [of ending Basic Authentication], we will provide a minimum of twelve months notice before we block the use of Basic Auth on any protocol being used in your tenant," Microsoft's announcement explained.

These plans only affect users of Exchange Online service delivered by Microsoft. It doesn't apply to organizations using the Exchange Server product on their premises. Moreover, for new tenants, Microsoft already disables Basic Authentication by default.

Support Ending for Other Old Protocols
Another change in Microsoft's plans concerns the use of some other outdated protocols that might get used with Exchange Online. Microsoft has plans to end support for their use at some as-yet-undisclosed date. Mentioned in that context were the "EWS, EAS, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH and OAB" protocols and solutions.

Similarly, Microsoft is actively working to disable use of the SMTP AUTH protocol for the Office 365 tenants that are not using it. IT pros will get notified about this protocol's end via the Message Center.

These older protocols are deemed to be potentially insecure. Basic Authentication, in particular, is subject to password spray attacks (trying commonly used passwords across an organization to gain a foothold). Moreover, Basic Authentication lacks the ability to add multifactor authentication, a secondary ID verification approach on top of a password that Microsoft heavily recommends for organizations.

Negative Reaction
Microsoft's announcement concluded that its new plan would give organizations more time to transition away from Basic Authentication. However, initial reactions seemed surprisingly negative. Microsoft should stand firm on disabling Basic Authentication, a reader wrote in response to Microsoft's announcement.

Some comments found on Twitter seemed negative, too.

"Basic Auth should be eradicated and this [new plan] is not helping," wrote Michael Van Horenbeeck, a Microsoft Most Valuable Professional, in a recent Twitter post.

One problem for organizations is that they may not know that they have these older protocols in use. Microsoft recommended checking the Azure AD Sign-In Logs to detect them. The process is described by Alex Weinert, director of Identity Security at Microsoft, in this March blog post.