Microsoft allows 3-month reprieve before ending basic authentication for Exchange Online users
By Kurt Mackie
Microsoft still intends to disable Basic Authentication for Exchange Online users on October 1, but it is offering a possible grace period of about three months before ending it altogether.
The new milestones for Exchange Online users were described in this Thursday post from the Microsoft Tech Community by the exchange team. Organizations will need to run a so-called “self-service diagnostic” this month if they want to delay Microsoft disabling basic authentication on October 1. However, even with such deferrals specified using the Self-Service Diagnostic Tool, Microsoft is still planning to end Basic Authentication “permanently”, effective January 1, 2023.
Some organizations may have already used the self-service diagnostic tool to block basic authentication from being disabled, but the message from the Exchange team said these organizations will need to do it again this month if they really need an extension.
Here is the expression of the exchange teams for this purpose:
Today we have archived all previous reactivation and deactivation requests. If you have already disabled or re-enabled Basic Authentication for certain protocols, you will need to follow the steps below during September to indicate that you want us to leave something enabled for Basic Authentication after October 1.
Even still, organizations that struggle to continue using basic authentication will face a screeching halt in January.
“Please understand that we will be will permanently disable basic authentication for all tenants in January 2023, regardless of their opt-out status,” the Exchange team clarified.
Microsoft has used its message center seen by IT professionals to communicate its plans to end support for basic authentication in Exchange Online. Even though IT professionals have been receiving such messages every month since October 2021, achieving full compliance has been difficult, the Exchange team admitted.
Some organizations may not have a clue how basic authentication is used in their environments. However, on the client side, organizations can easily tell that they are using Basic Authentication if the login dialog looks like the following image:
Microsoft’s intent in eliminating Basic Authentication for Exchange Online is to improve security. The basic authentication approach simply involves a username and password, which are subject to so-called “password spraying” attacks (trying passwords that are easy to guessing in an organization to gain a foothold).
It’s true that Microsoft has repeatedly moved goal posts about its plans to block Basic Authentication in past communications. Its plans for the end of October basic authentication were last reiterated in May. This is a big problem because some organizations that still use it will have their email blocked when basic authentication is complete.
Probably, however, Microsoft means so, this time by permanently removing basic authentication in January. Skeptical IT professionals can read a statement of intent in this Thursday post by Seth Pattongeneral manager of Microsoft 365.
Patton urged IT pros to check Microsoft 365 message center posts about the issue. He also explained why Microsoft plans to permanently block basic authentication in January, citing Microsoft security research:
Our own research found that more than 99% of password spray attacks exploit the presence of Basic Authentication. The same study found that over 97% of credential stuffing attacks also use legacy authentication. Customers who disabled Basic Authentication experienced 67% fewer compromises than those still using it.
Most new apps will use what’s called “modern authentication,” based on OAuth 2.0, which is considered more secure, Patton explained. Updating client applications can be an easy way for organizations to get rid of using basic authentication.
Blocking preview for Microsoft 365 Apps
The Exchange team briefly noted that Microsoft has released a preview for Microsoft 365 users that “changes the default behavior of Office apps to block login prompts using Basic Authentication.” In such cases, users will see a message explaining that “the file has been blocked because it uses a connection method that may not be secure”.
This Basic Authentication blocking preview was rolled out in August for Microsoft 365 version 2208 users, according to this Microsoft document. It will also be available at some point in “retail versions of Office 2021, Office 2019, and Office 2016,” the document says.