Basic Authentication Will Be Disabled for Exchange Online in October

Microsoft announced a few months ago that Basic Authentication will be disabled for Exchange Online in October 2022. That's only 90 days off now (happy July!), and Microsoft's global data reflects that less than 30% of all users are leveraging MFA (Multi Factor Authentication), so it's a good time to review exactly what "basic" means and what our options are to mitigate the risk of users not being able to get their mail.  

Countdown

 

Man with smart phone and laptop in office

PSA - watch out for your MFA!

Basic authentication is ye olde username and password. The credential pair. The single most attacked attribute-combo on the planet and your organization's most significant risk. Microsoft has been beating the drum on the risks associated with basic auth, from password sprays to phishing to local device replays (i.e., Mimikatz, etc.).  

Credential pairs are not just an enormous risk to your organization in general but are especially dangerous for Exchange Online, which by default allows POP and IMAP access. These two protocols are, coincidentally, the most common attack vectors for credential pairs.  

If you've been putting off the change to modern authentication, it's time to solve for the blockers and move forward because Microsoft has openly declared that  

  1. No exceptions will be made, and 
  2. Tenant migration will happen by random selection with only seven days' warning. This train is coming. 

So, what exactly is modern authentication? How do we enable it? How do we clear those business blockers and get the users on board?  

First, let's set the bar: modern authentication is not quite the same as multi-factor authentication. There's a relatively common conflation of the two terms, and indeed, multi-factor should be the end-state goal of your security program. But to meet the October deadline, we'll push that discussion into another series of posts (wherein I'll look at different factors and the varying quality of each—it's gonna be a nailbiter!)  

Modern authentication is friendly speak for Oauth 2.0, which changes the relationship between apps and services from credential presentation for global access to token representation for specified controls with expiration.  

It also conveniently disrupts password spray attacks because the presentation of credentials to access the token is separated across multiple screens. This is why you enter your username on one screen and then advance to the next to enter your password.  

There's a lot of good in this decision, and there are implementations of both POP and IMAP that support Oauth 2.0, but there's also a risk that you will have to make a change and that the change could be disruptive.  

If your tenant was created before August 1, 2017, modern authentication would have been off by default. If that's the case for your tenant, you're also not able to create or leverage conditional access policies or enable multi-factor authentication, so making this change will be well worth your time.  

Fortunately, the change is pretty straightforward and clearly spelled out in Microsoft documentation, but there is a one-time re-authentication, so users will be prompted to log in.  

This is also an excellent time to look at the usage of both POP and IMAP in your environment. A tenant configured for modern authentication supports native versions of Outlook across all platforms, making POP and IMAP unnecessary. While they are supported in modern auth, they're still part of the umbrella of "legacy" protocols that should be abandoned and disabled where possible. In fact, if you don't actually implement Conditional Access policies and stick with Security Defaults, they will be disabled automatically.  

Like the deprecations of Windows 7 and Internet Explorer, this is a change that cannot be ignored. It will be impactful, and the onus will be on IT departments to know and mitigate their own risk. But with one minor disruption as the price and so much functionality as the reward, it's something that should be done sooner rather than later. And once you're ready to put this issue in the rearview mirror, we can address the various modalities of enabling MFA to achieve the right balance of usability and security. 

 


 

Would you like to find out more about Azure Multi-Factor Authentication? Learn more how we can deploy Azure Multi-Factor Authentication to the enterprise and secure your data and apps.

 

Comments