Recently, Microsoft announced a significant update: “Basic Authentication retirement for legacy protocols in Exchange Online.”
In short, no more Basic Authentication for following protocols to access Exchange Online.
- EWS (Exchange Web Services)
- EAS (Exchange ActiveSync)
- RPS (Remote PowerShell)
Basic Authentication in Exchange Online:
Microsoft has planned to end Basic Authentication in Exchange Online from Oct 13, 2020.
Most client apps use Basic Authentication to connect to servers, services, and endpoints as it is simple to set up. Basic Authentication in Exchange Online sends username and password with every client access request.
The trouble with Basic Authentication is that it easily compromise through brute force or password spray attacks. To protect our environment from a security threat, we need to move to better a option.
No more Basic Authentication in Exchange Online – How does this affect me?
From Oct. 13, 2020, client apps that use any of the above mentioned legacy protocols won’t be able to connect to Exchange Online using Basic Authentication.
Alternative to Basic Authentication – Switch to Modern Authentication:
The best solution is moving to Modern Authentication approach. Modern Authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0 tokens.
Modern Authentication (which is OAuth 2.0 token-based auth) has many benefits that help to overcome the issues present in Basic Auth. OAuth tokens have limited usable lifetime and are specific to the applications they are issued for. So, they can’t be reused. This ensures a more secure and reliable way than Basic Authentication.
What do I need to do to Prepare for this Change?
There are several actions that you and your users can take to avoid service disruptions on client applications, and we describe them below.
- You can start updating the client applications your users are using to versions that support OAuth 2.0.
- If you have written your own code using protocols with Basic Authentication, you will need to update your code to use OAuth 2.0.
- If you are using 3rd party application, either you need to reach out 3rd party app developer to update the application to support OAuth 2.0 or switch to an application that supports Oauth2.0.
- RPS: Are you a tenant administrator who spend more time on Remote PowerShell to access Exchange Online? You can use Azure Cloud Shell to connect Exchange Online as it supports multi-factor authentication (MFA).
- Exchange ActiveSync: If your organization still using Exchange ActiveSync, you can use Outlook Mobile clients to connect with Exchange Online.
- IMAP/POP: Microsoft Planning to add OAuth support to both IMAP and POP in a few months. If you want to keep using these protocols, you will need to update the app to one that supports Modern Auth.
How to Discover Basic Auth Connections?
As a tenant admin, you probably have the question – How do I know who are using Basic Authentication in my tenant? Microsoft has already answered your question. Yes, Microsoft has planned to release a tool that lists users and client applications that use basic authentication to connect Exchange Online. It is anticipated to being released in the next few months. We will update here once the tool is available.
- This change does not impact SMTP AUTH – Microsoft continues supporting Basic Authentication for the time being.
- This change doesn’t affect Exchange Server on-premises products.
It’s a great initiative. At the same time, changing from Basic Authentication to Modern Authentication will cause some disruption and is more challenging. But together, we need to plan for this change to protect our data.
Are you ready for the change? Which method are you going to implement in your organization? Please share your experience/difficulties during Modern Authentication adoption in the comment section to assist other admins.