Basic Authentication Extended to 2H 2021 for Exchange Online Users
Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.
The end date for Basic Authentication on Exchange Online previously was Oct. 13, 2020, but Microsoft is now pushing it out due to uncertainties surrounding the "COVID-19 crisis." A more precise end-of-support date will be announced later, the announcement added.
The extension is just for organizations currently using Basic Authentication with Exchange Online. New Exchange Online tenancies will still get Basic Authentication disabled by default. Microsoft also will disable Basic Authentication if it detects that Basic Authentication isn't being used.
Organizations using Exchange Server on-premises or in "hybrid" scenarios aren't subject to Microsoft's end-of-support change.
Organizations dealing with the end of Basic Authentication likely will experience some pains in upgrading systems. The change affects their use of Remote PowerShell. They'll also have to check which Outlook clients are used with the Exchange Online service. Outlook 2016 and Outlook for Mac 2016 and newer clients don't use Basic Authentication, but older Outlook clients may be using it.
Microsoft specifically wants to end Basic Authentication support when it's used with protocols such as Exchange ActiveSync, Post Office Protocol (POP) and Internet Message Access Protocol (IMAP).
Microsoft instead wants Exchange Online users to switch to so-called "modern authentication," which is based on OAuth 2.0 tokens and the Active Directory Authentication Library.
Microsoft did indicate back in February of last year that it had completed work on OAuth support for Office 365 tenancies using both POP and IMAP e-mail protocols, but the rollout status wasn't described. A few new details in that respect were added in Microsoft's Friday announcement:
We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities. We will publish more details on these as we make progress.
Basic Authentication is a simple name-plus-password user authentication approach that's based on older protocols. It's subject to "password spray" attacks, though, in which weak and commonly used passwords are tried across an organization by attackers to gain a foothold. Basic Authentication also doesn't support multifactor authentication, a secondary means of verifying user identities, which Microsoft recommends for organizations.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.