Basic Auth is Really Dead
Microsoft’s message to Exchange Online administrators has been consistent for months: Basic Auth is dead for Exchange connections. Well, maybe as in Monty Python’s Spamalot, Basic Auth “is not dead yet,” but it’s well on the way there. Microsoft still plans to turn off basic auth for Exchange Web Services, Exchange ActiveSync, POP3, IMAP4, and Remote PowerShell on October 13, 2020.
Gathering Data About Basic Auth Connections
In an informative February 25 post, Microsoft sought to assuage the fears of some customers that applications and devices will cease working and won’t be able to connect to Exchange Online. One piece of good news is Microsoft’s decision to remove the requirement for an Azure Active Directory premium license to see the Sign-in report in the Azure AD portal. Although a tenant can generate a large amount of sign-in data over the seven-day rolling window used by the report, it’s easy to apply a filter to focus on the problematic sign-ins that still use basic auth (Figure 1).
I generated a batch of basic auth connections by signing into PowerShell without multi-factor authentication. The report picked up the sign-ins but didn’t identify them as originating from PowerShell (no user agent string reported).
Microsoft’s advice is to download the sign-in data to Excel and use its filtering and grouping capabilities to interrogate and understand your tenant’s risk profile due to basic auth. Understanding where basic auth connections originate, the applications involved, and the accounts used are of great assistance when building conditional access policies to block traffic.
Although some extra detective work might be needed to understand exactly where traffic comes from, the sign-in report is a useful tool to highlight the volume of basic auth connections that exist in a tenant and who’s responsible for those connections.
Microsoft took the opportunity to update Office 365 tenants about common clients and what needs to be done to keep connections going after October 13.
Outlook desktop (Windows and Mac) uses Exchange Web Services to connect to services like AutoDiscover, so if you have old Outlook clients connected to Exchange Online that use Basic Auth, those clients need to be upgraded before October 2020 or they’ll stop working. In some respects, this might be a very good thing in forcing the upgrade to modern Outlook clients. My advice is to avoid Outlook 2013, which is now quite an old client, and move users to Outlook 2016 at a minimum.
Check the Tenant Exchange Online Configuration
It’s possible that some Office 365 tenants are still configured to use basic auth, especially if the tenant was created before August 1, 2017 and no one switched the Exchange Online configuration over to use modern authentication. If you see a lot of basic auth connections reported and you know that the Outlook client base is relatively new, it’s worth checking the value of the OAuth2ClientProfileEnabled setting in the configuration. This should be True to instruct Outlook 2013 and later clients to connect with modern authentication:
Get-OrganizationConfig | Format-Table Name, OAuth2ClientProfileEnabled -AutoSize
If the value is False, you can update the configuration by running the Set-OrganizationConfig cmdlet and set OAuth2ClientProfileEnabled to $True.
Updating the configuration will affect all clients connecting to the tenant. It’s wise to understand the connection profile for clients before you switch – but do so before October.
IMAP4 and POP3
Microsoft says that they have completed work on modern authentication for these obsolete access protocols and are rolling out the code within Exchange Online. They make the point that modern authentication has been available for IMAP4 in Outlook.com for some years, which begs the question why it’s taken so long to appear in the commercial service.
Documentation for developers is being completed, which will allow companies who write the IMAP4 and POP3 clients people use to connect to Exchange Online mailboxes to upgrade their code before October.
Some work will be needed to test and deploy updated clients. With that in mind, the question must be asked if it is time to retire these protocols and use something more modern. Remember, IMAP4 and POP3 were created at a time when a separate protocol was needed (SMTP) to send messages. These protocols can only download messages. OWA is a good replacement for PCs while Outlook Mobile should replace mobile clients that use IMAP4 and POP3.
I don’t underestimate the pain and disruption caused when users are forced to switch clients, but we have arrived at a crunch point where the need for security trumps personal preference for antiquated protocols.
Microsoft says that they are nearly finished work to implement modern authentication for SMTP. When Microsoft switches off basic auth for SMTP, this is likely to disrupt connectivity for mail-enabled devices that use SMTP to send notifications and other information. It’s unclear how many manufacturers will upgrade the software running on these devices to use modern authentication, especially for older devices. It might be the case that no solution will be available to allow devices to continue connecting to Exchange Online unless customers pressurize manufacturers to create patches.
Lots of PowerShell scripts that automate important processes run with basic auth. Microsoft’s plan for non-interactive scripts is to support certificate-based authentication to replace passwords passed to scripts via strings included in the script or read in from a text file. The new REST-based Exchange Online management module helps (especially with the latest update), but it only offers replacements for nine of the hundreds of Exchange cmdlets.
Remember that many scripts used with Office 365 interact with multiple endpoints (Exchange Online, SharePoint Online, Teams, Azure Active Directory, and so on). The work to move non-interactive scripts away from basic auth to modern authentication should not be underestimated.
Work to Do
October 13, 2020 seems like a long time away. It is, unless you’ve got multiple client families and devices using basic auth to connect to Exchange Online now. If that’s the case, work needs to happen now. Unless of course you want to see the flow of email stop dead when basic auth is eradicated.
The Office 365 for IT Pros eBook contains lots of good advice about Exchange Online, SharePoint Online, Planner, OneDrive for Business, Teams, and many other topics. Subscribe to receive monthly updates with the most current advice and guidance.