Microsoft Previews Ability To Disable Basic Authentication in Exchange Online

Microsoft has released a public preview of a new capability that allows IT pros to disable "basic authentication" when using the Exchange Online service.

Basic authentication transmits a user name and password to Exchange Online to gain e-mail access, and it uses a bunch of older protocols to do so. Microsoft instead advocates using its so-called "modern authentication" process, which is based on the Active Directory Authentication Library and OAuth 2.0 tokens. It's a certificate-based identity and access approach that enables things like multifactor authentication, where an additional verification is required on top of a user's password to gain access.

The Wednesday announcement by the Exchange team admitted that the new preview has some major drawbacks. For instance, it's not possible to tell which end users in an Exchange Online tenancy are using basic authentication. If basic authentication blocking is enabled, it's not possible to check that the blocking is working. Moreover, the policy change that blocks basic authentication can take "up to 24 hours" to come into effect.

Microsoft possibly is working to remedy those drawbacks. However, it decided to release the preview anyway because of the increasing frequency of "brute force or password spray attacks," according to the Exchange team. In the password spray scenario, attackers try commonly used passwords, like "password," across users in an organization to find an access point.

The blocking of basic authentication will only work for end users whose identities have already been replicated to Azure Active Directory or Exchange Online, Microsoft's announcement noted.

Moreover, it's only possible to block basic authentication when an organization is using certain e-mail client applications that support modern authentication. Microsoft's support document listed those client apps as follows:

Microsoft recommends disabling basic authentication "if your organization has no legacy email clients or doesn't want to allow legacy email clients."

The steps to enable or disable modern authentication are described in this support article. It apparently just involves running a PowerShell script.

Microsoft turns on modern authentication by default for users of Exchange Online, SharePoint Online and Skype for Business Online. However, modern authentication was apparently turned on by default for new Exchange Online hybrid tenancies starting back in August of last year. Older Office 365 tenancies didn't get this change, which implies they are still using basic authentication for some end users.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Tamper Protection Now Available to Microsoft Defender ATP Subscribers

    The Microsoft Defender Advanced Threat Protection (ATP) E5 subscription plan now has an optional "tamper protection" security feature, Microsoft announced on Monday.

  • Exploring OCR, a New Way To Get Data into Excel

    Microsoft recently added a new optical character recognition feature to Excel that lets users import data from a photograph taken from a smartphone. Here's how to use it.

  • Microsoft Authenticator App To Get Real-Time Phishing Protections

    Microsoft is working on adding capabilities to its Microsoft Authenticator app to help defeat security breaches enabled by advanced attack techniques, including phishing and man-in-the-middle methods.

  • A Quicker Way To Create Hyper-V Inventory Reports

    If you need to generate Hyper-V inventory reports but don't want the hassle of writing your own custom PowerShell script, here is a shortcut.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.