Microsoft Previews Ability To Disable Basic Authentication in Exchange Online

Microsoft has released a public preview of a new capability that allows IT pros to disable "basic authentication" when using the Exchange Online service.

Basic authentication transmits a user name and password to Exchange Online to gain e-mail access, and it uses a bunch of older protocols to do so. Microsoft instead advocates using its so-called "modern authentication" process, which is based on the Active Directory Authentication Library and OAuth 2.0 tokens. It's a certificate-based identity and access approach that enables things like multifactor authentication, where an additional verification is required on top of a user's password to gain access.

The Wednesday announcement by the Exchange team admitted that the new preview has some major drawbacks. For instance, it's not possible to tell which end users in an Exchange Online tenancy are using basic authentication. If basic authentication blocking is enabled, it's not possible to check that the blocking is working. Moreover, the policy change that blocks basic authentication can take "up to 24 hours" to come into effect.

Microsoft possibly is working to remedy those drawbacks. However, it decided to release the preview anyway because of the increasing frequency of "brute force or password spray attacks," according to the Exchange team. In the password spray scenario, attackers try commonly used passwords, like "password," across users in an organization to find an access point.

The blocking of basic authentication will only work for end users whose identities have already been replicated to Azure Active Directory or Exchange Online, Microsoft's announcement noted.

Moreover, it's only possible to block basic authentication when an organization is using certain e-mail client applications that support modern authentication. Microsoft's support document listed those client apps as follows:

Microsoft recommends disabling basic authentication "if your organization has no legacy email clients or doesn't want to allow legacy email clients."

The steps to enable or disable modern authentication are described in this support article. It apparently just involves running a PowerShell script.

Microsoft turns on modern authentication by default for users of Exchange Online, SharePoint Online and Skype for Business Online. However, modern authentication was apparently turned on by default for new Exchange Online hybrid tenancies starting back in August of last year. Older Office 365 tenancies didn't get this change, which implies they are still using basic authentication for some end users.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Previews Windows VM Authentications via Azure Active Directory

    Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.