Microsoft Ending Autodiscover Authentications with Exchange Online

Microsoft is planning to turn off the ability to use Autodiscover to authenticate with Exchange Online for all tenancies, starting this year, according to a Wednesday announcement.

This Autodiscover authentication turn off will happen "right away" this year for organizations that are no longer using Basic Authentication with the Exchange Online service. It'll happen in "early 2023" for all other organizations using Exchange Online.

Basic Authentication Support Dropped
Basic Authentication consists of a user name plus password for authentications. Microsoft had stopped supporting it last month for most Exchange Online users. However, some organizations may have opted for a three-month delay and are still using Basic Authentication.

If Basic Authentication isn't needed by an organization, then there's also no need to be using Autodiscover, Microsoft's announcement contended.

Microsoft ended support for Basic Authentication with Exchange Online because it can be exploited by so-called "password spray" attacks, where commonly used passwords are tried across an organization to gain a foothold. Microsoft didn't explain why it wants to block client authentications via Autodiscover, but Autodiscover has been leveraged to harvest plain text credentials, as exposed last year by security researchers at Guardicore Labs.

Autodiscover is designed to make it easier for a user's client application to configure itself for Exchange if they have an e-mail address and password, per this Microsoft document description.

Microsoft also indicated that it won't be possible to reenable Autodiscover using a "self-service diagnostic" tool.

"On December 31, 2022, the self-service diagnostic will go away, and after that it won't be possible to re-enable anything," the announcement indicated.

Exchange Server CU and Support Notices
In other Exchange news this week, this time concerning users of Exchange Server 2019, Microsoft announced that it'll skip the expected cumulative update (CU) for that product that was expected to appear in the latter part of this year.

"There won't be an H2 2022 CU" for Exchange Server 2019, Microsoft indicated.

Microsoft typically releases two CUs per year for Exchange Server products, which are targeted for March (H1) and September (H2) releases.

The new plans are to ship an "H1 2023 CU" next year. It'll just be released for Exchange Server 2019, though, as "Exchange Server 2016 and Exchange Server 2013 are in Extended support, and there will be no more CUs for those versions," Microsoft explained.

Microsoft also reminded users of Exchange Server 2013 that it will be falling out of support on "April 11, 2023." Microsoft stops delivering security updates when product support reaches an end.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube