News

Microsoft Adds Stop-Gap Tool, but Still Plans To End Exchange Online Basic Authentication

• By Kurt Mackie
• 06/17/2021

Microsoft on Wednesday announced another update on its plans to end the use of Basic Authentication with the Exchange Online e-mail messaging service.

Microsoft just plans to turn off Basic Authentication for Exchange Online when it can detect that it's not being actively used by a tenant. Microsoft isn't planning to turn off Basic Authentication in cases where it's actively being used.

Also, Microsoft isn't turning off Basic Authentication when it's specified via Authentication Policies.

The Basic Authentication turn-off effort doesn't apply to organizations that use Exchange Server products in their "on-premises" datacenters.

Basic Authentication Turn-Off in 2H 2021
Not a lot has changed since Microsoft's February announcement, when it indicated that it would block Basic Authentication use with the Exchange Online service starting as early as the second half of 2021. The plan outlined back then was to send a 30-day advanced notice to IT pros via the Message Center portal before turning off Basic Authentication.

That's still the plan, as reiterated in Microsoft's Wednesday announcement. What's new is that Microsoft has created a new tool that will let IT pros turn Basic Authentication back on, if needed. This new "self-service reenablement tool" can be accessed from the green help icon within the Microsoft 365 Admin Center portal.

Reenablement Tool
The self-service reenablement tool runs diagnostic tests showing an organization's Basic Authentication use associated with eight protocols. A drop-down button in the tool permits Basic Authentication to be turned back on for each of those eight protocols, if wanted.

The tool doesn't run diagnostics on the SMTP AUTH protocol, though. Microsoft claims it provides other wizard-like tools that can be used to perform that work, as well as PowerShell cmdlets.

When Microsoft turns off Basic Authentication for Exchange Online users, the self-service reenablement tool will be the only option for IT pros wanting to reenable Basic Authentication.

"This [reenablement tool] is the only way to re-enable 8 of the 9 protocols included in the scope of this effort," the announcement explained.

Basic Authentication Must Die
While the new tool will let organizations continue to use Basic Authentication if wanted, Microsoft isn't backing away from its original plan to end it altogether. Microsoft's had eased off from carrying out that plan, and built the reenablement tool in the meantime, but the plan to kill Basic Authentication is still the same.

A notice of the impending end of Basic Authentication will arrive through the Message Center, the announcement promised.

Basic Authentication, which entails the use of just a simple user name and password to access an Exchange Online e-mail accounts, is deemed to be insecure. It's vulnerable to "password spray" attacks, where commonly used passwords get tried across an organization, aiming to find a foothold. Basic Authentication also doesn't support multifactor authentication, a highly recommended approach to verifying a user's identity by requiring a PIN or biometric scan on top of a password.