End of Longstanding Campaign to Eradicate Basic Authentication to Increase Security of Exchange Online
Updated November 12
On September 12, I received message center notifications MC284549 and MC284559, both of which informed me that Microsoft had disabled basic authentication for POP3, IMAP4, Remote PowerShell, Exchange Web Services (EWS), the Offline Address Book (OAB), Exchange ActiveSync (EAS), SMTP AUTH, and MAPI (Figure 1). I can report that nothing untoward has happened since. Everything kept working and the world continued spinning.
Figure 1: Tenant notice that Microsoft has disabled basic authentication for Exchange Online
To confirm that basic authentication is blocked for the target protocols, run the Get-OrganizationConfig cmdlet and examine the BasicAuthBlockedApps property. In my case, the value returned is 255:
255 means that basic authentication is blocked for all protocols. This is a bitmask composed of values for each protocol. Zero (0) means that basic authentication is not blocked for any protocols. The other values are:
Exchange ActiveSync (EAS): 1
Exchange Web Services (EWS): 2
POP3: 4
IMAP4: 8
Remote PowerShell: 16
MAPI over RPC (Outlook Anywhere): 32
Offline Address Book (OAB): 64
RPC: 128
The disabling of basic authentication for multiple connection protocols was not unexpected. Microsoft flagged that this might happen in their June 2021 update on their long-running and much-delayed campaign to eradicate basic authentication from Exchange Online. My only complaint is that I didn’t receive the promised heads-up message center notification 30 days in advance of Microsoft disabling the protocols. Maybe that’s why I received two posts when disablement happened (to be fair to Microsoft, I might have overlooked the up-front message, which then expired and disappeared from view). In any case, things proceeded smoothly and Exchange Online continues to operate smoothly in my tenant without basic authentication.
As the countdown continues towards deprecation day, Microsoft plans to issue monthly informational posts in the Microsoft 365 admin center to tell tenants still using basic authentication what level of usage exists in their environment. Here’s an example of the kind of information you can expect to see:
Based on our telemetry, there may be some users in your tenant currently using Basic Authentication and we expect these users to be affected when these changes take place.
In the month of October, we detected the following usage:
Exchange ActiveSync: 11
POP: 1
IMAP: 0
Outlook Windows: 13
Outlook for Mac/Exchange Web Services: 0
Exchange Remote PowerShell: 0
Please note these numbers only reflect the count of unique users who have successfully authenticated to these services in the sepcified month, they do not reflect successful access to mailboxes or data (for example, a user may authenticate using IMAP, but may be denied access to the mailbox due to configuration or policy).
October 1, 2022 is a Big Day for Exchange Online
However, things are about to get a lot more interesting for many other organizations with Microsoft’s decision that “effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage.” In other words, in a year’s time, basic authentication for Exchange Online goes away even if an organization wants to keep it in place for some reason. This is a very big change.
The logic driving the decision is that removing basic authentication increases security for the overall Exchange Online service and its tenants and stops attackers seeking to compromise individual user accounts. This development might be painful for some, but overall it is a good thing.
Update 27 September : To smoothen progress towards the removal of basic authentication, Microsoft is making an exception for SMTP AUTH. Read the details here.
Microsoft says that in early 2022, they will pick tenants (using some unpublished criteria) and disable basic authentication for all the chosen protocols except SMTP AUTH for a period of between 12 and 48 hours. SMTP AUTH is excluded because it might affect important operational aspects like multi-functional devices or PowerShell scripts sending updates about a job’s progress. When the period expires, Microsoft will enable basic authentication automatically.
While you might argue that it’s wrong for Microsoft to arbitrarily disable connection protocols for selected tenants, it’s certainly an excellent way of proving to an organization that they either don’t need basic authentication to function or where the pain points are which need to be solved before October 2022. If the pain caused by the disabled protocols becomes too much, tenant administrators can re-enable basic authentication using the self-service capability built into the Microsoft 365 admin center (Figure 2).
Figure 2: The option to reenable basic authentication for Exchange Online in the Microsoft 365 Admin Center
No Exceptions This Time Round
It’s easy to conclude from this news that Microsoft is very serious about eradicating basic authentication. The delays in previous schedules caused by the Covid-19 pandemic and the desire to give organizations more time to prepare have passed. Tenants have a year to get ready, even if they don’t want to. Microsoft says that they will not provide exceptions, noting “We are not providing the ability to use Basic Auth after October 2022. You should ensure your dependency on Basic Auth in Exchange Online has been removed by that time.”
In other words, if you want to use basic authentication with Exchange after October 2022, you need to move some processing on-premises.
Interestingly, the June 2021 update for the retirement of basic authentication in Exchange Online has only accumulated 36K views. This tells me that a bunch of tenant administrators are not keeping themselves informed about what’s going on here. Those people will be unhappy if their tenant is selected for protocol disablement for a period in early 2022 and even less impressed when the hammer descends in October 2022.
Time to Start the Transition
Twelve months isn’t a long time to prepare for major IT changes. Time has a habit of slipping away unnoticed. In this case, it’s important to start preparatory work (if not already done) to decide what will happen in terms of application and device access to Exchange Online, replacement of old user clients that don’t support modern authentication and upgrading code to use the Microsoft Graph APIs.
It’s interesting that Microsoft calls out the use of application access policies in its announcement. These policies allow granular access to mailboxes by apps using Graph APIs, so they’re important components when you transition code from older APIs to the Graph (or even for PowerShell scripts which send email via the Graph). Microsoft has increased the number of application access policies per tenant from 100 to 300 with plans to go to 10,000 or more. That should be enough for any organization to move forward.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
I’ve just made woraround for this issue by creating proxy that replace basic by oauth 😉 https://github.com/mmalcek/basicToOauth