Microsoft

Microsoft disables Basic Authentication for Exchange Online

Microsoft is now sending notifications to customers that Basic Authentication for Exchange Online will be permanently deactivated on October 1, 2022, to improve security. This was already announced in 2019. Still, Microsoft must now send “final alerts” to customers who have not yet responded and have voluntarily switched to another authentication method.

According to the report of the bleeping computer, Microsoft had diligently issued several reminders and warnings over the past three years. Most recently in May 2022 and September 2021, the company asked its customers to disable Basic Authentication. The group then noticed that many of the customers had not yet migrated their clients and apps to modern authentication.

According to its own statements, Microsoft has already deactivated basic authentication for millions of tenants who no longer use it. However, in the next step, the group is now working on disabling Basic Auth for those still using basic authentication. “Since our first announcement nearly three years ago, we’ve seen millions of users move away from Basic Authentication, and we’ve disabled it on millions of tenants to proactively protect them.

We’re not done yet, and unfortunately “not zero yet.” However, we will begin disabling basic multi-protocol authentication for tenants that were not previously disabled,” the Exchange team now wrote. “From October 1, we will begin randomly selecting tenants and enabling basic authentication for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.” Those affected will then find a corresponding notification in the Windows Message Center seven days before the start of the rollout.

Why is Basic Authentication turned off?

Basic authentication (also known as legacy authentication or proxy authentication) is an HTTP-based authentication method that applications use to send clear-text credentials to servers, endpoints, or various online services.

This makes data theft, for example via a man-in-the-middle attack, relatively easy to carry out. Microsoft has long relied on more secure systems than Basic Auth, such as two-way authentication with tokens that can only be used once.