Microsoft Previews Ability To Disable Basic Authentication in Exchange Online

Microsoft has released a public preview of a new capability that allows IT pros to disable "basic authentication" when using the Exchange Online service.

Basic authentication transmits a user name and password to Exchange Online to gain e-mail access, and it uses a bunch of older protocols to do so. Microsoft instead advocates using its so-called "modern authentication" process, which is based on the Active Directory Authentication Library and OAuth 2.0 tokens. It's a certificate-based identity and access approach that enables things like multifactor authentication, where an additional verification is required on top of a user's password to gain access.

The Wednesday announcement by the Exchange team admitted that the new preview has some major drawbacks. For instance, it's not possible to tell which end users in an Exchange Online tenancy are using basic authentication. If basic authentication blocking is enabled, it's not possible to check that the blocking is working. Moreover, the policy change that blocks basic authentication can take "up to 24 hours" to come into effect.

Microsoft possibly is working to remedy those drawbacks. However, it decided to release the preview anyway because of the increasing frequency of "brute force or password spray attacks," according to the Exchange team. In the password spray scenario, attackers try commonly used passwords, like "password," across users in an organization to find an access point.

The blocking of basic authentication will only work for end users whose identities have already been replicated to Azure Active Directory or Exchange Online, Microsoft's announcement noted.

Moreover, it's only possible to block basic authentication when an organization is using certain e-mail client applications that support modern authentication. Microsoft's support document listed those client apps as follows:

Microsoft recommends disabling basic authentication "if your organization has no legacy email clients or doesn't want to allow legacy email clients."

The steps to enable or disable modern authentication are described in this support article. It apparently just involves running a PowerShell script.

Microsoft turns on modern authentication by default for users of Exchange Online, SharePoint Online and Skype for Business Online. However, modern authentication was apparently turned on by default for new Exchange Online hybrid tenancies starting back in August of last year. Older Office 365 tenancies didn't get this change, which implies they are still using basic authentication for some end users.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.