Microsoft Outlines Plans To End Basic Authentication in Exchange Online Next Year
Microsoft upped the stakes in its effort to end "Basic Authentication" with the Exchange Online e-mail service.
It plans to end support for Basic Authentication next year when used with various e-mail protocols, according to a Friday announcement. Those protocols include Exchange ActiveSync, Post Office Protocol (POP) and Internet Message Access Protocol (IMAP). Additionally, Microsoft will drop support for Remote PowerShell when used with the Exchange Online service.
Support will end on Oct. 13, 2020 for those e-mail protocols, as well as for Remote PowerShell used with Exchange Online. In addition, Basic Authentication in Exchange Web Services will end on that same Oct. 13, 2020 date, as previously described more than a year ago.
Microsoft earlier this month described an extended end-of-support date for Exchange Server 2010, which coincidentally will lose support after the Oct. 13, 2020 date. For organizations keeping pace, there's a detailed "best practices" for Exchange Server migrations post recently published by the Exchange team.
Microsoft's ending of Basic Authentication just applies to the Exchange Online service offered through Office 365 or Microsoft 365 subscription plans. It doesn't apply to organizations that use the "on-premises" Exchange Server products. The change also "does not affect SMTP AUTH," although Microsoft is working to enhance its security.
Switch to Modern Authentication
The trouble with Basic Authentication is that it's just too basic and uses older protocols. Under Basic Authentication, a user name and password gets transmitted to authenticate users and grant them access to the e-mail service. However, it's considered attackable via "password spray" scenarios, where attackers try commonly used passwords (such as "password") across an organization to gain a foothold.
Microsoft wants organizations using Exchange Online to switch to a so-called "modern authentication" approach. Modern authentication is based on the use of OAuth 2.0 tokens and the Active Directory Authentication Library. It notably adds support for multifactor authentication, in which a secondary challenge besides a password is used to verify a user's identity. In contrast, Basic Authentication doesn't support multifactor authentication.
The end of Basic Authentication in Exchange Online will cause pain for some organizations, but they'll gain security along the way if they switch to modern authentication, Microsoft argued:
We know the change from Basic Auth to Modern Auth will potentially cause some disruption. For some users, any time they have to do something different, it's challenging for them, but we want to do this together to improve security and protect your data and your users' data. Disabling Basic Authentication and requiring Modern Authentication with MFA is one of the best things you can do to improve the security of data in your tenant, and that has to be a good thing.
Microsoft's announcement included a few recommendations. It advised organizations to use Outlook Mobile clients to connect with Exchange Online, which is considered to be a good option for organizations that are still using Exchange ActiveSync-based clients. In addition, IT pros using remote PowerShell to connect to Exchange Online should consider switching to PowerShell within the Azure Cloud Shell, apparently because the shell version supports multifactor authentication.
Microsoft is working on remedies to ease some Basic Authentication end pains. For instance, it's working on "adding OAuth support to both POP and IMAP in the next few months," although using OAuth with those e-mail protocols will require updating e-mail client apps. It's also making investments to improve the multifactor authentication module when used with remote PowerShell.
Lastly, Microsoft is promising that it'll be easier for Exchange Online tenants to discover their use of Basic Authentication via a new tool that will be coming "soon." While the tool isn't available yet, the process to disable Basic Authentication is already documented in this recently updated article.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.