Microsoft Previews Ability To Disable Basic Authentication in Exchange Online

Microsoft has released a public preview of a new capability that allows IT pros to disable "basic authentication" when using the Exchange Online service.

Basic authentication transmits a user name and password to Exchange Online to gain e-mail access, and it uses a bunch of older protocols to do so. Microsoft instead advocates using its so-called "modern authentication" process, which is based on the Active Directory Authentication Library and OAuth 2.0 tokens. It's a certificate-based identity and access approach that enables things like multifactor authentication, where an additional verification is required on top of a user's password to gain access.

The Wednesday announcement by the Exchange team admitted that the new preview has some major drawbacks. For instance, it's not possible to tell which end users in an Exchange Online tenancy are using basic authentication. If basic authentication blocking is enabled, it's not possible to check that the blocking is working. Moreover, the policy change that blocks basic authentication can take "up to 24 hours" to come into effect.

Microsoft possibly is working to remedy those drawbacks. However, it decided to release the preview anyway because of the increasing frequency of "brute force or password spray attacks," according to the Exchange team. In the password spray scenario, attackers try commonly used passwords, like "password," across users in an organization to find an access point.

The blocking of basic authentication will only work for end users whose identities have already been replicated to Azure Active Directory or Exchange Online, Microsoft's announcement noted.

Moreover, it's only possible to block basic authentication when an organization is using certain e-mail client applications that support modern authentication. Microsoft's support document listed those client apps as follows:

Microsoft recommends disabling basic authentication "if your organization has no legacy email clients or doesn't want to allow legacy email clients."

The steps to enable or disable modern authentication are described in this support article. It apparently just involves running a PowerShell script.

Microsoft turns on modern authentication by default for users of Exchange Online, SharePoint Online and Skype for Business Online. However, modern authentication was apparently turned on by default for new Exchange Online hybrid tenancies starting back in August of last year. Older Office 365 tenancies didn't get this change, which implies they are still using basic authentication for some end users.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Adds 6 More Months to Expiring Certification Programs

    Microsoft has announced an extension to the end date of three certification programs slated for retirement.

  • Microsoft's Surface Pro X: It's Like the Surface RT, But Better

    There's a lot about the Surface Pro X that's reminiscent of the ill-fated Surface RT. But despite the similarities, this might just be one of the rare cases where the sequel is better than the original.

  • Q&A: The Challenges of Securing All Those Newly Remote Workers

    Security expert Dale Meredith identifies cybersecurity challenges, best practices and major concerns resulting from all the employees forced into home offices by COVID-19.

  • Astronaut Survival Training: A Crash Course in Sea Survival

    Lots of things can go wrong during a commercial spaceflight -- especially once your capsule leaves space. An unplanned ocean landing is just one of those worst-case scenarios.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.