By now, everyone should be convinced that using basic authentication for connections to Exchange Online is a bad idea. Microsoft has been pushing to remove basic authentication for quite a while, with announcements at the Ignite 2019 conference setting the stage. At that time, Microsoft said they would remove support for:
- Exchange Web Services (EWS – following an earlier announcement in July 2019).
- Exchange ActiveSync (EAS).
- Remote PowerShell.
The logic for choosing these protocols is that they are the set most exploited by attackers. After clients replace basic authentication with modern authentication for connections, attackers have a lot less attack surface to target.
A Change in Plan
Microsoft’s original plan was to remove support for basic authentication using these protocols in October 2020. The Covid-19 pandemic interfered with the ability of many organizations to do the necessary preparation for the deprecation and in April 2020, Microsoft was forced to push the date out to mid-2021.
Now, Microsoft is changing its approach. The basic principles are:
- Expanding the set of protocols covered in the program.
- Disabling basic authentication when it’s not used.
- Leaving tenants who use basic authentication alone for the moment and giving 12 months’ notice for deprecation when the basic authentication removal program restarts.
Let’s dive into some detail.
Expanded Target Protocol Set
The set of protocols has increased to include:
- MAPI (Messaging Application Programming API): The API Exchange Server is built on.
- RPC (Remote Procedure Call). MAPI over RPC is known as Outlook Anywhere and uses basic authentication. MAPI over HTTP supports both basic or modern authentication.
- OAB (Offline Address Book).
- SMTP AUTH (see below).
Outlook desktop clients (Windows) already consume EWS to access information like free/busy data and MailTips. This change closes off potential vulnerabilities in Microsoft’s own client to align better with the work already done to support modern authentication IMAP4 and POP3 clients. There is no good reason for Outlook clients to connect to Exchange Online using anything but modern authentication. Microsoft is not including AutoDiscover in the protocol set. The logic here is that AutoDiscover only ever informs clients where to go to access user data; the protocol can never access user data, so it is of little use to attackers. Microsoft says that they will consider disabling basic authentication for AutoDiscover in the future, once the battle to eliminate basic authentication for the other protocols is won.
Use It or Lose It
Instead of a big-bang turn-off on a nominated date, Microsoft will disable basic authentication for protocols when tenants do not use this capability “to prevent potential misuse”. Microsoft notes that many organizations don’t realize what protocols are in active use, so they will measure the use of basic authentication within tenants and use that information to disable basic authentication for unused protocols. Tenants will receive a message center notification in the Microsoft 365 admin center 30 days before a protocol is blocked.
Extended Notice Before Blocks Descend
For an undefined period, basic authentication will not be disabled when it is in active use by tenants. Eventually, the period of tolerance for basic authentication will lapse and Microsoft will move into a more active closedown phase. However, Microsoft says they will provide at least 12 months’ notice to tenants before blocking basic authentication for protocols in active use.
SMTP AUTH is the client submission protocol used by applications or devices to submit outbound email to Exchange for processing. Many PowerShell scripts use the Send-MailMessage cmdlet to send messages via SMTP AUTH. As noted in July 2020, Microsoft has already disabled SMTP AUTH for new tenants (don’t these folks send email via PowerShell?) and is now including SMTP AUTH in the overall program rather than handling it separately.
What Happens Next
If your organization uses the affected protocols, you need to build a plan to reduce and then remove the usage for basic authentication. This might involve client upgrades, software changes, and perhaps firmware upgrades to devices which connect to Exchange Online (notably to use SMTP AUTH). You’ll get a 12 month notice of deprecation when Microsoft restarts its basic authentication removal program.
If your organization doesn’t use the affected protocols, this fact will be picked up by Microsoft’s analysis and you’ll receive message center notifications to say that Microsoft is going to disable basic authentication for one or more protocols. Thirty days later, Microsoft will enforce the block. The potential exists that someone might overlook the notification, and in this case, Microsoft says that they are working on a self-service procedure to reenable protocols in the Microsoft 365 admin center. It’s a good idea to enable the integration between the message center and Planner to make sure you don’t miss important notifications.
In some respects, it’s sad that Microsoft has delayed removing basic authentication for vulnerable connection protocols. I suspect that the reason is rooted in analysis of telemetry from tenants around the world which concluded that implementing the block as planned in mid-2021 would be too disruptive. It’s easy to argue that Microsoft should plough ahead and make the change, but the consequences of blocking connections across many unprepared organizations might generate a severe interruption in service. Tenants would be less vulnerable to attack with the block in place, but stopping people from working is perhaps too big a price to pay for a general-purpose service.
Shifting dates like this is a great reminder of the value of a book with updated content to track developments. The Office 365 for IT Pros eBook covers updates so you don’t have to sweat.