Table of Contents
Microsoft Announces Deprecation of Basic Auth for Multiple Connection Protocols
Following the introduction of protocol authentication policies for Exchange Online last year (also available for Exchange 2019), the Exchange development group has moved to reduce the attack surface available to hackers by announcing the deprecation of basic auth connections for a set of mailbox protocols from October 2020. The affected protocols are:
- Exchange Web Services (previously announced in July 2019).
- Exchange ActiveSync (EAS).
- IMAP4.
- POP3.
- Remote PowerShell.
Deprecation is due to happen on October 13, 2020. The usual approach inside Office 365 is that the cut-off doesn’t happen immediately but can occur at any point without warning after the announced date. When the axe descends, clients running any of the listed protocols won’t be able to connect to Exchange Online using basic auth. Customers therefore have just over a year to prepare for the change.
Update: Microsoft has pushed the deprecation date out to mid-2021.
The Challenge of Mobile Clients
The biggest issue is likely to be with mobile clients. Microsoft licenses ActiveSync (EAS) to many mobile device vendors to enable connectivity from clients like the iOS mail app to Exchange. Microsoft argues that it’s time for customers to move to clients that support modern authentication and point to Outlook Mobile for iOS and Android as the logical choice for anyone with an Exchange Online mailbox. The big advantage of Outlook Mobile is that you get more features delivered for these clients, such as the recent support delivered for dark mode and shared mailboxes.
Although it’s true that Outlook Mobile has more than 100 million users, the facts remains that this number counts both consumer and commercial customers and there’s way more Exchange Online mailboxes in use. The last active number for Office 365 seats was 180 million (April) and that’s likely to be past 200 million now. Given the mobile nature of email, roughly 50% of the Exchange Online community might use a client today that depends on basic auth for EAS, IMAP4, or POP3.
I’m sure Microsoft has been in touch with its EAS licensees with an update for the new connectivity rules. It’s then up to licensees to update the mail apps for their devices to support modern authentication (Apple already has for iOS 11 onward). However, just because a mail app proclaims its support for modern authentication, software must still be checked out against Office 365 to make sure that everything works as expected across all client versions on all device families (some folks have run into problems with the iOS app).
Time to Go for IMAP4 and POP3
Microsoft says that they will update their POP3 and IMAP4 connections to support modern authentication soon. This will help, but tenants will still have to validate that any IMAP4 and POP3 clients still in use can connect,. including applications where IMAP4 or POP3 is used to send messages. I recommend that tenants take the opportunity to move users on from these now-ancient email protocols to something that’s more secure and functional, even if it means ripping Thunderbird and other clients out of user hands. They’ll be better for the experience.
Upgrading to a more functional email client is one thing; upgrading an application that uses IMAP4 to fetch messages from Exchange Online is another. Microsoft has committed to update the IMAP4 protocol for Exchange Online to support OAuth and say that they will make an announcement when this support is available. Upgrading an application will involve code changes, so now’s a good time to collect a roster of applications that will need to be updated. On the other side of the coin, the SMTP AUTH protocol used by many applications and devices to send messages is not being changed.
Of course, if you feel adventurous, you could upgrade apps to use the Microsoft Graph REST API instead of IMAP4. I suspect that this won’t happen as the work involved is likely to be more onerous (especially testing) than upgrading an IMAP4 connection to support modern authentication.
Remote PowerShell
Exchange has used Remote PowerShell since Exchange 2010 (more software to hit the ropes in October 2020) and people are very accustomed to making remote connections to work with mailboxes and other Exchange objects through PowerShell. The issues involved in Remote PowerShell for Exchange Online are not limited to basic auth, but at least MFA-enabled connections are available.
Discovering Basic Auth Connections
Microsoft says that they will deliver a tool to allow Office 365 tenant administrators to discover who’s using basic auth to connect to their mailboxes. No details of the tool are yet available.
A Good Change
Overall, getting rid of insecure basic auth connections is a very good idea. The only downside is the work that Office 365 tenants must do to identify what usage basic auth has inside their environment and then come up with plans to remove the dependency. At least there’s plenty of time to do the work.
For more information about Exchange Online, read the Office 365 for IT Pros eBook. Our earliest editions focused on Exchange Online, but we’ve got much broader coverage across Office 365 now.
A use case that neither Microsoft’s announcement nor your article touches on much are applications using IMAP to access messages programmatically (e.g. tool that scrapes mailbox for invoices or expense report attachments). I don’t disagree that it’s “time to change” those, but I would have loved a little more notice. I’m fact, I know of one team that was moving a tool away from EWS and towards IMAP because of the announcement last July (I don’t agree with that decision, but the irony is painful). Now, people have a year either to push a vendor to change or implement a replacement product (or, I suppose, move a mailbox back on-premises).
TLDR; IMAP/POP is broader than “stop using Thunderbird.”
I know that IMAP and POP is more than using Thunderbird or one of the other popular clients… the use case you outline, which is a real one, is being dealt with by upgrading the protocols to support modern authentication. This will mean some work for the folks who use IMAP (mostly) to retrieve messages as they will have to upgrade their apps. It is also worth noting that Microsoft is not changing SMTP at this time, so outbound email is unaffected. The change here is to stop attacks on accounts like this often used by apps.
If you are interested in a PowerShell way of finding out who is currently using Basic Authentication, please vote this up: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39818251-return-value-for-authenticationmethodsused-in-get