“Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing.” ~Microsoft Exchange Team
Basic Authentication is the prompt for username/password that we’re all familiar with. You’ve probably filled in that info millions of times. But it’s no longer good enough. It doesn’t support multifactor verification, it isn’t good at coping with brute-force attacks, and the application you use needs to explicitly know what your username and password are.
The alternative is Modern Authentication. This uses the Active Directory Authentication Library and OAuth 2.0 protocols. Your apps no longer need to store your credentials, instead relying on time-limited tokens – plus of course they permit the use of multifactor authentication for further confirmation you’re the legitimate account-holder.
In Nexus365’s console we see Basic Authentication logins as ‘legacy authentication clients’ in our logs. And the thing about anything that starts to be described as ‘legacy’ is that it is going to fall out of support. Microsoft have delayed that date before but the security vulnerabilities of doing nothing have forced their hand. They have announced that they will start forcibly turning off support for Basic Authentication in Office365 tenancies, starting from 1st October 2022. All tenancies will have Basic Authentication disabled by the end of the year.
This means that we need to be ready. There are fewer than 150 days to go. We can’t ask them where we will be in the list, and we can’t ask them to postpone. So we have to assume that Basic Authentication will cease to be supported from 1st October. We might get a few more days than that, but we might not.
Supported Clients
Outlook 2013 – the oldest client which can use Modern Authentication, in the form of OAuth 2.0. This requires registry tweaks
(HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity (EnableADAL = 1 and Version = 1😉
Outlook 365; Outlook 2016; Outlook 2019 – Modern Authentication is supported out-of-the-box. For a very slight speed improvement you can tell the app to attempt Modern Authentication connections first. Further details here: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/modern-authentication-configuration
HKEY_CURRENT_USER\Software\Microsoft\Exchange – Set a value: AlwaysUseMSOAuthForAutoDiscover = 1
Basic Authentication will also be turned off for the following protocols:
- MAPI
- RPC
- OAB
- EWS
- POP
- IMAP
- Remote Powershell
SMTP AUTH will not be turned off, however, unless nobody in our tenancy is using it.
What will happen if I do nothing?
Applications which rely on Basic Authentication will no longer be able to connect. You’ll see HTTP 401 error: ‘bad username or password’.
What should I do?
Reconfigure your apps to use Modern Authentication. For example both POP and IMAP can use OAuth but you need an app that’s current enough to be aware of OAuth. This also applies to EWS apps and ActiveSync – the protocols can support Modern Authentication but may need to be modified to make a request that isn’t Basic Authentication after September. If you have Teams Rooms devices, bear these factors in mind.