Now that Basic Authentication is Turned Off in Exchange Online, What Happens Next?

Posted on by Tony Redmond

Big Red Switch Moved to Off

I don’t know whether this happened somewhere in the bowels of a Microsoft data center, but I imagined Greg Taylor flipping a big red switch marked Basic Authentication for Exchange Online at midnight on October 1 (Figure 1). Perhaps he even sipped a glass of red wine as he started the final process of removing the bulk of dangerous connectivity from Exchange Online (elegantly described during his recent MEC session). Given the effort expended over the last three years, he deserved a drink. Or maybe two.

High-level overview of the Basic Authentication project (source: Microsoft)
Figure 1: High-level overview of the Basic Authentication project (source: Microsoft)

Nothing Happened – Yet

Nothing happened after the switch moved to off. The sky didn’t fall and birds continued to sing. No small animals were harmed by Microsoft’s campaign to remove basic authentication for seven connection protocols. At least, nothing happened for the millions of Microsoft 365 tenants that have already embraced modern authentication.

Of course, some tenants are living on borrowed time. These organizations opted for the three-month last-gasp delay granted by Microsoft to those who needed a little extra time to prepare. I hope these folks make good use of the time between now and January 1, 2023.

For those who didn’t seek a postponement and basic authentication remains in use, they could run into issues at any time now. October 1 marked the point when Microsoft will start to disable basic authentication permanently for the affected protocols in tenants. Given the scale of Exchange Online (remember the statistics revealed at MEC), it takes time to work through the tenants now eligible to be turned off. You don’t know when Microsoft will enforce the block on basic authentication within a tenant. The process is automatic and anonymous. No one gets to choose when their tenant’s turn comes around.

Some Potential Holes for Tenant to Fall Into

When Microsoft disables basic authentication for a tenant, two outcomes can happen:

  • No problems.
  • Stuff stops working.

Organizations that paid attention to the warnings sounded by Microsoft and amplified by many commentators should be OK. They’ve upgraded clients, updated apps and scripts, and communicated with their users.

Others might not be quite as prepared. Indeed, I suspect that some don’t realize what might happen to them soon. The data presented at MEC (Figure 2) indicated where some problems might lie, including POP3 and IMAP4 clients, mobile devices using Exchange ActiveSync, older versions of Outlook, and apps based on Exchange Web Services (and to a lesser degree, PowerShell).

Basic Authentication - Some Data found by Microsoft
Figure 2: Basic Authentication – Some Data found by Microsoft

The key to everything is modern authentication (OAuth2). If clients attempt to authenticate with a simple username and password combination, they’ll fail. In some cases, the fix is simple, as with iOS devices where the mail app profile can be upgraded to use modern authentication. Apple did this automatically for tens of millions of devices when it released iOS 15.6, but devices managed by MDM solutions might still need attention. Or consider an update to Outlook Mobile (yes, I know this is much harder than my trite remark implies).

In other scenarios, a brand new client might be needed. There’s a lot of old POP3 and IMAP4 clients out there, and while some software developers have upgraded their clients, others have not. The same is true for apps that use these protocols to poll Exchange mailboxes for messages.

Users might be annoyed and frustrated to discover that their favorite client can no longer connect, but unless that client supports OAuth, Exchange Online will refuse to allow access to mailboxes (see this Microsoft post for advice on how to solve the immediate “I can’t access my mailbox” problem. by reenabling an access protocol. This is a short-term sticking-plaster solution to buy some time until January 2023.

I hope help desk staff are briefed to know how to deal with people who can’t get their email, a situation that can impact business effectiveness. Tenant administrators won’t be thanked if key staff can’t close deals because of obsolete software.

Multi-Factor Authentication is the Next Step

I’ve been writing about this project for years. Removing basic authentication is a very good thing. You don’t get to vote and it will happen, and when it does, users will be safer from password sprays and other attacks. Do yourself a favor at the same time and protect users with multi-factor authentication (MFA) too. According to Microsoft, only 26.84% of Azure AD accounts are protected with MFA. That’s sad, but look at the changeover from basic authentication as a forcing factor to increase user email security by making people switch to more secure clients. MFA should be part of that discussion.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

3 Replies to “Now that Basic Authentication is Turned Off in Exchange Online, What Happens Next?”

  1. Pingback: October 8, 2022 - Red-N Security

  2. Well, speaking about our personal experience….
    1) We’re a small (less than 200) organisation with 1 full time IT person (me)
    2) I wasn’t aware of any change coming up and I was on leave when the change hit my organisation
    3) All emails on mobile devices stopped working and prompted the users (repeatedly) to enter their password, which were not accepted, so they were prompeted again (and again, and again)
    4) The genius consultant who setup our O365 / InTune / Profile & Certificates deployments to iOS devices has now closed his business and is no longer available as a consultant
    So, for a week now, no emails on mobile devices.
    Workarounds – yes, many.
    Solutions – no, this is unresolved. InTune (assuming that’s what it is called today) is a minefield and there are no consultants available who already know how to fix this (as opposed to those who are happy to find out by trial and error for their usual hourly fee).
    In short, grrrrrrr!

    Reply

    1. To be fair to Microsoft, they ran a campaign to advise tenants that this change was coming and issued frequent remainders over the last six months. Given the size of the service, it’s inevitable that some tenants will have had a less than stellar experience, but what I see is that in most cases things worked pretty smoothly.

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.