I don’t know whether this happened somewhere in the bowels of a Microsoft data center, but I imagined Greg Taylor flipping a big red switch marked Basic Authentication for Exchange Online at midnight on October 1 (Figure 1). Perhaps he even sipped a glass of red wine as he started the final process of removing the bulk of dangerous connectivity from Exchange Online (elegantly described during his recent MEC session). Given the effort expended over the last three years, he deserved a drink. Or maybe two.
Figure 1: High-level overview of the Basic Authentication project (source: Microsoft)
Nothing Happened – Yet
Nothing happened after the switch moved to off. The sky didn’t fall and birds continued to sing. No small animals were harmed by Microsoft’s campaign to remove basic authentication for seven connection protocols. At least, nothing happened for the millions of Microsoft 365 tenants that have already embraced modern authentication.
Of course, some tenants are living on borrowed time. These organizations opted for the three-month last-gasp delay granted by Microsoft to those who needed a little extra time to prepare. I hope these folks make good use of the time between now and January 1, 2023.
For those who didn’t seek a postponement and basic authentication remains in use, they could run into issues at any time now. October 1 marked the point when Microsoft will start to disable basic authentication permanently for the affected protocols in tenants. Given the scale of Exchange Online (remember the statistics revealed at MEC), it takes time to work through the tenants now eligible to be turned off. You don’t know when Microsoft will enforce the block on basic authentication within a tenant. The process is automatic and anonymous. No one gets to choose when their tenant’s turn comes around.
Some Potential Holes for Tenant to Fall Into
When Microsoft disables basic authentication for a tenant, two outcomes can happen:
No problems.
Stuff stops working.
Organizations that paid attention to the warnings sounded by Microsoft and amplified by many commentators should be OK. They’ve upgraded clients, updated apps and scripts, and communicated with their users.
Others might not be quite as prepared. Indeed, I suspect that some don’t realize what might happen to them soon. The data presented at MEC (Figure 2) indicated where some problems might lie, including POP3 and IMAP4 clients, mobile devices using Exchange ActiveSync, older versions of Outlook, and apps based on Exchange Web Services (and to a lesser degree, PowerShell).
Figure 2: Basic Authentication – Some Data found by Microsoft
The key to everything is modern authentication (OAuth2). If clients attempt to authenticate with a simple username and password combination, they’ll fail. In some cases, the fix is simple, as with iOS devices where the mail app profile can be upgraded to use modern authentication. Apple did this automatically for tens of millions of devices when it released iOS 15.6, but devices managed by MDM solutions might still need attention. Or consider an update to Outlook Mobile (yes, I know this is much harder than my trite remark implies).
In other scenarios, a brand new client might be needed. There’s a lot of old POP3 and IMAP4 clients out there, and while some software developers have upgraded their clients, others have not. The same is true for apps that use these protocols to poll Exchange mailboxes for messages.
Users might be annoyed and frustrated to discover that their favorite client can no longer connect, but unless that client supports OAuth, Exchange Online will refuse to allow access to mailboxes (see this Microsoft post for advice on how to solve the immediate “I can’t access my mailbox” problem. by reenabling an access protocol. This is a short-term sticking-plaster solution to buy some time until January 2023.
I hope help desk staff are briefed to know how to deal with people who can’t get their email, a situation that can impact business effectiveness. Tenant administrators won’t be thanked if key staff can’t close deals because of obsolete software.
Multi-Factor Authentication is the Next Step
I’ve been writing about this project for years. Removing basic authentication is a very good thing. You don’t get to vote and it will happen, and when it does, users will be safer from password sprays and other attacks. Do yourself a favor at the same time and protect users with multi-factor authentication (MFA) too. According to Microsoft, only 26.84% of Azure AD accounts are protected with MFA. That’s sad, but look at the changeover from basic authentication as a forcing factor to increase user email security by making people switch to more secure clients. MFA should be part of that discussion.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.
Well, speaking about our personal experience….
1) We’re a small (less than 200) organisation with 1 full time IT person (me)
2) I wasn’t aware of any change coming up and I was on leave when the change hit my organisation
3) All emails on mobile devices stopped working and prompted the users (repeatedly) to enter their password, which were not accepted, so they were prompeted again (and again, and again)
4) The genius consultant who setup our O365 / InTune / Profile & Certificates deployments to iOS devices has now closed his business and is no longer available as a consultant
So, for a week now, no emails on mobile devices.
Workarounds – yes, many.
Solutions – no, this is unresolved. InTune (assuming that’s what it is called today) is a minefield and there are no consultants available who already know how to fix this (as opposed to those who are happy to find out by trial and error for their usual hourly fee).
In short, grrrrrrr!
To be fair to Microsoft, they ran a campaign to advise tenants that this change was coming and issued frequent remainders over the last six months. Given the size of the service, it’s inevitable that some tenants will have had a less than stellar experience, but what I see is that in most cases things worked pretty smoothly.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Well, speaking about our personal experience….
1) We’re a small (less than 200) organisation with 1 full time IT person (me)
2) I wasn’t aware of any change coming up and I was on leave when the change hit my organisation
3) All emails on mobile devices stopped working and prompted the users (repeatedly) to enter their password, which were not accepted, so they were prompeted again (and again, and again)
4) The genius consultant who setup our O365 / InTune / Profile & Certificates deployments to iOS devices has now closed his business and is no longer available as a consultant
So, for a week now, no emails on mobile devices.
Workarounds – yes, many.
Solutions – no, this is unresolved. InTune (assuming that’s what it is called today) is a minefield and there are no consultants available who already know how to fix this (as opposed to those who are happy to find out by trial and error for their usual hourly fee).
In short, grrrrrrr!
To be fair to Microsoft, they ran a campaign to advise tenants that this change was coming and issued frequent remainders over the last six months. Given the size of the service, it’s inevitable that some tenants will have had a less than stellar experience, but what I see is that in most cases things worked pretty smoothly.