News

Microsoft To End Basic Authentication for Exchange Online in October

• By Kurt Mackie
• 05/04/2022

Microsoft this week again appealed to organizations using Exchange Online to move away from using "Basic Authentication," reminding them that support for it will get dropped, starting on Oct. 1, 2022.

The ending of Basic Authentication support will be gradual, but complete shutoff is expected to be completed by year's end for Exchange Online users. When support ends, client applications trying to use Basic Authentication for connecting with Exchange Online will show an error message, namely "HTTP 401 error: bad username or password," the announcement explained.

Microsoft really means it regarding the Oct. 1 end date for Basic Authentication, stating that "there is no way to request an exception after October."

Password Spray Attacks
Basic Authentication involves the sending of simple user names and passwords for access requests. It's still used by client applications tapping Exchange Online e-mail services. However, Basic Authentication can be subject to so-called "password spray" attacks, where easily guessed passwords get tried across organizations to gain a foothold.

Microsoft has been prodding organizations for maybe a couple of years to switch to so-called "Modern Authentication" for clients accessing Exchange Online.

Here's Microsoft's definition of Modern Authentication, per this document:

Modern authentication in Exchange Online enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.

October 1 will kick off the period in which Microsoft will start to turn off Basic Authentication for Exchange Online tenancies. It'll be a gradual process, and Microsoft plans to send IT pros notices seven days in advance through the Message Center when they are next.

Protocols Affected
Basic Authentication will get turned off for "the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell," the announcement explained.

Microsoft has carved out an exception for the SMTP AUTH protocol. If it's being used, Microsoft "won't touch it," but recommends that organizations disable it.

Organizations may not know if they are using Basic Authentication with Exchange Online. Microsoft suggested filtering for "Legacy Authentication Clients" in the events log of Azure Active Directory to detect Basic Authentication use:

Azure AD sign-in events is the best place to look (filter by client app, then in the client app filter, check the boxes for the affected protocols under Legacy Authentication Clients). Check out this post for more info.

Organizations can use Authentication Policies in Exchange Online to disable Basic Authentication, as described in this Microsoft Document. It's done using Exchange Online PowerShell.

Surprisingly, Microsoft isn't yet disabling Autodiscover use with Exchange Online. Here's how the announcement explained it:

You might notice that that we're not disabling Autodiscover at this time. That's something we'll do once the clients that depend on it are using Modern Auth, but it's also something you can do for yourself with Authentication Policies.

Autodiscover sets up automatic configurations for clients accessing Exchange. However, researchers at Guardicore Labs showed last year that it could be abused to gather "domain credentials in plain text."