Basic Auth will be disabled for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.
Microsoft has issued yet another reminder to its customers, urging them to move off of Basic Auth, a legacy authentication method used across several protocols under Exchange Online. The change will take effect on October 1, 2022.
In the three years since Microsoft announced it would shift away from Basic Auth, the company has twice prompted customers to move away from the HTTP-based auth scheme. Redmond said it would disable basic auth for random tenants starting next month.
Basic auth will be disabled for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. “We recognize that, unfortunately, there are still many tenants unprepared for this change,” Microsoft said.
“Despite multiple blog posts, Message Center posts, interruptions of service, and coverage via tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers aware of the deadline who simply haven’t done the necessary work to avoid an outage.”
The company noted that millions of tenants have already moved away from basic auth and its limitations for email protocols, such as a complicated multi-factor authentication, and adapted Modern Authentication. However, millions are yet to do so.
See More: How Zero-Trust is Transforming Data Protection
Relevant customers who haven’t moved to Modern Authentication should keep an eye out for a message/post on the Windows Message Center. Microsoft will share the details about disabling basic auth seven days in advance. The company will also post Service Health Dashboard notifications for each tenant on the day of the change.
Customers who weren’t aware of the security changes that Microsoft has been pushing for years or who need more than a month to figure out the transition for Exchange Online can avail of a three-month extension until the end of December 2022. However, it is applicable only once per protocol.
“If you already know you need more time and wish to avoid the disruption of having basic auth disabled, you can run the diagnostics during the month of September, and when October comes, we will not disable basic for protocol(s) you specify,” Microsoft added.
“If you do not want basic for a specific protocol or protocols disabled in October, you can use the same self-service diagnostic in the month of September.”
Microsoft’s push for Modern Authentication stems from several limitations and the fact that basic auth has become obsolete in terms of security. Being HTTP-based and designed to send credentials in plain text to online systems and services, the legacy authentication method is already at a disadvantage against credential theft and remote third-party access risks, not to mention man-in-the-middle attacks.
On the other hand, the OAuth 2.0-based Modern Authentication is basically Microsoft’s blanket term for multiple technologies- and age-appropriate authentication and authorization methods. These include MFA, smart cards, certificate-based authentication (CBA), and third-party Security Assertion Markup Language (SAML) identity providers.
Microsoft’s general manager for Microsoft 365, Seth Patton, pointed out that 921 password attacks are perpetrated every second (double from 2021), 99% of which use legacy authentication protocols such as basic auth.
Additionally, 97% of credential stuffing attacks exploit legacy authentication, and those who have already disabled legacy authentication methods are compromised 67% times fewer than those who have not.
“Please understand we will be disabling basic auth for all tenants permanently in January 2023, regardless of their opt-out status,” Microsoft warned.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Asst. Editor, Spiceworks Ziff Davis
On June 22, Toolbox will become Spiceworks News & Insights