Countdown Accelerating to the Big Basic Authentication Turnoff

October 1 Marks the Start

On May 3, Microsoft published its May update describing progress toward their goal of removing basic authentication for seven email connection protocols starting in October 2022. With 150 days to go, Microsoft wants tenants to make sure that they’re prepared for the big turnoff.

Basic authentication - just a username and password
Figure 1: Basic authentication – just a username and password

Update (September 1): Microsoft is granting tenants the ability to get a three-month extension before retiring basic authentication. See this article for more detail. January 1, 2023 is the new drop-dead date.

By now, there should be no need to rehearse the logic behind the move. Basic authentication for email is a major vector for the compromise of user accounts. Attackers use techniques like password sprays to penetrate accounts using the flimsy protection afforded by basic authentication and proceed to wreak havoc. Business email compromise (BEC) leading to financial loss is only one of the joys available following account penetrations.

Five Big Points to Understand

Among the nuggets in Microsoft’s post, I noted five important points:

  • They have already disabled basic authentication in millions of tenants that were not using the affected protocols. “Millions” is the keyword here. It demonstrates the scale and scope of this effort and the size of Exchange Online.
  • Disabling of basic authentication for Exchange Web Services (EWS), Remote PowerShell, POP3, IMAP4, MAPI over RPC, Exchange ActiveSync, and the Exchange Offline Address Book (OAB) commences on October 1. Remember the scale of Exchange Online? It will take time for Microsoft to work through all the Office 365 data center regions to turn off the protocols for millions of tenants. They anticipate completion at the end of 2022, but protocol disablement could come to your tenant at any time after October 1, so you need to be prepared.
  • No one gets to vote when Microsoft blocks basic authentication for their tenant. Selection is random. It just happens.
  • SMTP AUTH is an exception and support of basic authentication for this protocol continues for now. But that’s no reason to ignore the bright lights signaling that Microsoft is likely to disable basic authentication for SMTP AUTH soon. Microsoft isn’t saying when they will proceed, but you should start to upgrade scripts and devices which send email using SMTP AUTH connections to Exchange Online as soon as possible.
  • Apple devices running recent operating systems that use Exchange ActiveSync to connect the native Apple Mail app to Exchange Online mailboxes can use modern authentication. However, the configuration of the connection to Exchange must specify modern authentication. If a new device copies an existing configuration from an old device (for example, when someone updates an old iPhone to the latest model), the configuration might specify basic authentication. These devices won’t be able to connect to Exchange Online after Microsoft blocks basic authentication. Read this article for more information and consider auditing Apple device connections to identify the devices still using basic authentication.

Use Authentication Policies to Block Protocols

Another important point is that authentication policies are available to block basic authentication for selected protocols now. You can be proactive and block protocols like POP3 and IMAP4 that attackers love using to compromise accounts. It’s a good step to take to stop people using old and vulnerable clients.

A tenant administrator might be lulled into a false sense of security because they’ve deployed Azure AD conditional access policies to protect user accounts, or because they’ve disabled protocols like POP3 and IMAP4 for mailboxes through the Set-CasMailbox cmdlet. These are good steps to take, but they only kick on after an account successfully authenticates – and that might be too late. Blocking protocols with authentication policies stops attackers from authenticating (and knowing that they have valid credentials), meaning that attempted attacks come to a crashing halt.

Time to Get Going

When this post appears, it will be 147 days until 1 October. Three days have slipped away since Microsoft posted its blog. If you’ve had other things on your plate and haven’t progressed the preparation for the big basic authentication turn-off, it’s time to get going.

Make sure that you’re not surprised about changes that appear inside Exchange Online and other Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

6 Replies to “Countdown Accelerating to the Big Basic Authentication Turnoff”

  1. Will there be any impact on Windows SMTP relay servers which forwards email to Exchange Online via connector. I have an environment where devices and applications are sending emails via SMTP relay servers. There are even scripts which uses send-mailmessage to send emails via relay server to O365.

    1. No. This exercise involves client connectivity, not SMTP servers connecting together. Scripts which use Send-MailMessage use SMTP AUTH, which is an exception for now.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.