End of Longstanding Campaign to Eradicate Basic Authentication to Increase Security of Exchange Online
Updated November 12
On September 12, I received message center notifications MC284549 and MC284559, both of which informed me that Microsoft had disabled basic authentication for POP3, IMAP4, Remote PowerShell, Exchange Web Services (EWS), the Offline Address Book (OAB), Exchange ActiveSync (EAS), SMTP AUTH, and MAPI (Figure 1). I can report that nothing untoward has happened since. Everything kept working and the world continued spinning.
To confirm that basic authentication is blocked for the target protocols, run the Get-OrganizationConfig cmdlet and examine the BasicAuthBlockedApps property. In my case, the value returned is 255:
Get-OrganizationConfig | Select BasicAuthBlockedApps BasicAuthBlockedApps -------------------- 255
255 means that basic authentication is blocked for all protocols. This is a bitmask composed of values for each protocol. Zero (0) means that basic authentication is not blocked for any protocols. The other values are:
- Exchange ActiveSync (EAS): 1
- Exchange Web Services (EWS): 2
- POP3: 4
- IMAP4: 8
- Remote PowerShell: 16
- MAPI over RPC (Outlook Anywhere): 32
- Offline Address Book (OAB): 64
- RPC: 128
The disabling of basic authentication for multiple connection protocols was not unexpected. Microsoft flagged that this might happen in their June 2021 update on their long-running and much-delayed campaign to eradicate basic authentication from Exchange Online. My only complaint is that I didn’t receive the promised heads-up message center notification 30 days in advance of Microsoft disabling the protocols. Maybe that’s why I received two posts when disablement happened (to be fair to Microsoft, I might have overlooked the up-front message, which then expired and disappeared from view). In any case, things proceeded smoothly and Exchange Online continues to operate smoothly in my tenant without basic authentication.
As the countdown continues towards deprecation day, Microsoft plans to issue monthly informational posts in the Microsoft 365 admin center to tell tenants still using basic authentication what level of usage exists in their environment. Here’s an example of the kind of information you can expect to see:
Based on our telemetry, there may be some users in your tenant currently using Basic Authentication and we expect these users to be affected when these changes take place.
In the month of October, we detected the following usage:
- Exchange ActiveSync: 11
- POP: 1
- IMAP: 0
- Outlook Windows: 13
- Outlook for Mac/Exchange Web Services: 0
- Exchange Remote PowerShell: 0
Please note these numbers only reflect the count of unique users who have successfully authenticated to these services in the sepcified month, they do not reflect successful access to mailboxes or data (for example, a user may authenticate using IMAP, but may be denied access to the mailbox due to configuration or policy).
October 1, 2022 is a Big Day for Exchange Online
However, things are about to get a lot more interesting for many other organizations with Microsoft’s decision that “effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage.” In other words, in a year’s time, basic authentication for Exchange Online goes away even if an organization wants to keep it in place for some reason. This is a very big change.
The logic driving the decision is that removing basic authentication increases security for the overall Exchange Online service and its tenants and stops attackers seeking to compromise individual user accounts. This development might be painful for some, but overall it is a good thing.
Update 27 September : To smoothen progress towards the removal of basic authentication, Microsoft is making an exception for SMTP AUTH. Read the details here.
Update November 12: Microsoft has issued a useful summary of the actions they are taking to remove basic authentication from Exchange Online.
Early 2022 Test Disablements
Microsoft says that in early 2022, they will pick tenants (using some unpublished criteria) and disable basic authentication for all the chosen protocols except SMTP AUTH for a period of between 12 and 48 hours. SMTP AUTH is excluded because it might affect important operational aspects like multi-functional devices or PowerShell scripts sending updates about a job’s progress. When the period expires, Microsoft will enable basic authentication automatically.
While you might argue that it’s wrong for Microsoft to arbitrarily disable connection protocols for selected tenants, it’s certainly an excellent way of proving to an organization that they either don’t need basic authentication to function or where the pain points are which need to be solved before October 2022. If the pain caused by the disabled protocols becomes too much, tenant administrators can re-enable basic authentication using the self-service capability built into the Microsoft 365 admin center (Figure 2).
No Exceptions This Time Round
It’s easy to conclude from this news that Microsoft is very serious about eradicating basic authentication. The delays in previous schedules caused by the Covid-19 pandemic and the desire to give organizations more time to prepare have passed. Tenants have a year to get ready, even if they don’t want to. Microsoft says that they will not provide exceptions, noting “We are not providing the ability to use Basic Auth after October 2022. You should ensure your dependency on Basic Auth in Exchange Online has been removed by that time.”
In other words, if you want to use basic authentication with Exchange after October 2022, you need to move some processing on-premises.
Interestingly, the June 2021 update for the retirement of basic authentication in Exchange Online has only accumulated 36K views. This tells me that a bunch of tenant administrators are not keeping themselves informed about what’s going on here. Those people will be unhappy if their tenant is selected for protocol disablement for a period in early 2022 and even less impressed when the hammer descends in October 2022.
Time to Start the Transition
Twelve months isn’t a long time to prepare for major IT changes. Time has a habit of slipping away unnoticed. In this case, it’s important to start preparatory work (if not already done) to decide what will happen in terms of application and device access to Exchange Online, replacement of old user clients that don’t support modern authentication and upgrading code to use the Microsoft Graph APIs.
It’s interesting that Microsoft calls out the use of application access policies in its announcement. These policies allow granular access to mailboxes by apps using Graph APIs, so they’re important components when you transition code from older APIs to the Graph (or even for PowerShell scripts which send email via the Graph). Microsoft has increased the number of application access policies per tenant from 100 to 300 with plans to go to 10,000 or more. That should be enough for any organization to move forward.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.