Microsoft’s message to Exchange Online administrators has been consistent for months: Basic Auth is dead for Exchange connections. Well, maybe as in Monty Python’s Spamalot, Basic Auth “is not dead yet,” but it’s well on the way there. Microsoft still plans to turn off basic auth for seven protocols, including Exchange Web Services, Exchange ActiveSync, POP3, IMAP4, and Remote PowerShell on October 13, 2020.
Gathering Data About Basic
Auth Connections
In an informative February 25 post, Microsoft sought to assuage the fears of some customers that applications and devices will cease working and won’t be able to connect to Exchange Online. One piece of good news is Microsoft’s decision to remove the requirement for an Azure Active Directory premium license to see the Sign-in report in the Azure AD portal. Although a tenant can generate a large amount of sign-in data over the seven-day rolling window used by the report, it’s easy to apply a filter to focus on the problematic sign-ins that still use basic auth (Figure 1).
Figure 1: Filtering the Azure Active Directory Sign-ins Report
I generated
a batch of basic auth connections by signing into PowerShell without multi-factor
authentication. The report picked up the sign-ins but didn’t identify them as
originating from PowerShell (no user agent string reported).
Microsoft’s advice is to download the sign-in data to Excel and use its filtering and grouping capabilities to interrogate and understand your tenant’s risk profile due to basic auth. Understanding where basic auth connections originate, the applications involved, and the accounts used are of great assistance when building conditional access policies to block traffic.
Although
some extra detective work might be needed to understand exactly where traffic
comes from, the sign-in report is a useful tool to highlight the volume of
basic auth connections that exist in a tenant and who’s responsible for those
connections.
Upgrade Outlook
Microsoft
took the opportunity to update Office 365 tenants about common clients and what
needs to be done to keep connections going after October 13.
Outlook desktop
(Windows and Mac) uses Exchange Web Services to connect to services like
AutoDiscover, so if you have old Outlook clients connected to Exchange Online
that use Basic Auth, those clients need to be upgraded before October 2020 or
they’ll stop working. In some respects, this might be a very good thing in
forcing the upgrade to modern Outlook clients. My advice is to avoid Outlook
2013, which is now quite an old client, and move users to Outlook 2016 at a
minimum.
Check the Tenant Exchange
Online Configuration
It’s possible that some Office 365 tenants are still configured to use basic auth, especially if the tenant was created before August 1, 2017 and no one switched the Exchange Online configuration over to use modern authentication. If you see a lot of basic auth connections reported and you know that the Outlook client base is relatively new, it’s worth checking the value of the OAuth2ClientProfileEnabled setting in the configuration. This should be True to instruct Outlook 2013 and later clients to connect with modern authentication:
If the value is False, you can update the configuration by running the Set-OrganizationConfig cmdlet and set OAuth2ClientProfileEnabled to $True.
Updating the configuration will affect all clients connecting to the tenant. It’s wise to understand the connection profile for clients before you switch – but do so before October.
IMAP4 and POP3
Microsoft
says that they have completed work on modern authentication for these obsolete access
protocols and are rolling out the code within Exchange Online. They make the
point that modern authentication has been available for IMAP4 in Outlook.com
for some years, which begs the question why it’s taken so long to appear in the
commercial service.
Documentation
for developers is being completed, which will allow companies who write the
IMAP4 and POP3 clients people use to connect to Exchange Online mailboxes to upgrade
their code before October.
Some work will
be needed to test and deploy updated clients. With that in mind, the question
must be asked if it is time to retire these protocols and use something more
modern. Remember, IMAP4 and POP3 were created at a time when a separate protocol
was needed (SMTP) to send messages. These protocols can only download messages.
OWA is a good replacement for PCs while Outlook Mobile should replace mobile
clients that use IMAP4 and POP3.
I don’t
underestimate the pain and disruption caused when users are forced to switch
clients, but we have arrived at a crunch point where the need for security
trumps personal preference for antiquated protocols.
SMTP
Microsoft says that they are nearly finished work to implement modern authentication for SMTP. When Microsoft switches off basic auth for SMTP, this is likely to disrupt connectivity for apps which use SMTP to access email. For now, Microsoft is not changing SMTP AUTH connections because of the impact on devices which use these connections to send email. It is unclear how many manufacturers would be able to upgrade the software running on these devices to use modern authentication, especially for older devices.
PowerShell
Lots of PowerShell scripts that automate important processes run with basic auth. Microsoft’s plan for non-interactive scripts is to support certificate-based authentication to replace passwords passed to scripts via strings included in the script or read in from a text file. The new REST-based Exchange Online management module helps (especially with the latest update), but it only offers replacements for nine of the hundreds of Exchange cmdlets.
Remember
that many scripts used with Office 365 interact with multiple endpoints
(Exchange Online, SharePoint Online, Teams, Azure Active Directory, and so on).
The work to move non-interactive scripts away from basic auth to modern authentication
should not be underestimated.
Work to Do
October 13, 2020 seems like a long time away. It is, unless you’ve got multiple client families and devices using basic auth to connect to Exchange Online now. If that’s the case, work needs to happen now. Unless of course you want to see the flow of email stop dead when basic auth is eradicated.
The Office 365 for IT Pros eBook contains lots of good advice about Exchange Online, SharePoint Online, Planner, OneDrive for Business, Teams, and many other topics. Subscribe to receive monthly updates with the most current advice and guidance.
6 Replies to “Time Running Out for Exchange Online Basic Authentication”
Microsoft did not release code for IMAP/POP3 for OAuth and once they release we need some time to integrate to the product we deliver to customer and then customer will need some time to test before they move it to production. I think Oct date should be moved as Microsoft is not yet ready for giving alternative approach.
The post doesn’t say that Microsoft has released the documentation for IMAP/POP3 support for OAuth. That work is still being done. But Microsoft has given clear warning that basic auth is going away on October 13, 2020 for some time now, so customers should be prepared to do the test and get whatever’s necessary done to move this into production. In other words, this shouldn’t be a surprise. I hope they don’t move the date because as pointed out in https://office365itpros.com/2020/03/03/basic-authentication-exchange-online-so-bad/ the combination of IMAP and basic auth is an open invitation to be attacked.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Microsoft did not release code for IMAP/POP3 for OAuth and once they release we need some time to integrate to the product we deliver to customer and then customer will need some time to test before they move it to production. I think Oct date should be moved as Microsoft is not yet ready for giving alternative approach.
The post doesn’t say that Microsoft has released the documentation for IMAP/POP3 support for OAuth. That work is still being done. But Microsoft has given clear warning that basic auth is going away on October 13, 2020 for some time now, so customers should be prepared to do the test and get whatever’s necessary done to move this into production. In other words, this shouldn’t be a surprise. I hope they don’t move the date because as pointed out in https://office365itpros.com/2020/03/03/basic-authentication-exchange-online-so-bad/ the combination of IMAP and basic auth is an open invitation to be attacked.