Basic Authentication Dead for Exchange Online Connections

Microsoft has announced that basic authentication for multiple email connection protocols won’t be supported after October 13, 2020. You won’t be able to connect with EWS, EAS, IMAP4, POP3, or Remote PowerShell unless you use modern authentication. There’s just over a year to prepare, but there’s some work to be done.

Advertisements

Eliminating Basic Auth for Exchange Online with AAD Conditional Access Policies

Exchange Online protocol authentication policies control what protocols a user can connect to mailboxes with, but it would be much better if we didn’t have to worry about some old and insecure protocols. Azure Active Directory gives Office 365 tenants the chance to clamp down on IMAP4 and POP3 connections and close off some of the holes that attackers try to exploit. Microsoft says that this can lead to a 67% reduction in account compromises, so that’s a good thing.

Disabling Basic Authentication for Exchange Online (Preview)

Microsoft has released a preview of the cmdlet set to allow tenants to create and manage protocol authentication policies for Exchange Online. It’s a great chance to disable basic authentication and reduce the attack surface for password spraying.