Microsoft will turn off Exchange Online basic auth in January

Microsoft

Microsoft warned today that it will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security.

“Beginning in early January, we will send Message Center posts to affected tenants about 7 days before we make the configuration change to permanently disable Basic auth use for protocols in scope,” The Exchange Team said on Tuesday.

“Soon after basic auth is permanently disabled, any clients or apps connecting using Basic auth to one of the affected protocols will receive a bad username/password/HTTP 401 error.”

This announcement comes after multiple reminders and warnings Redmond has issued over the last three years, the first published in September 2019 and two more in September 2021 and May 2022 after many customers delayed switching to modern authentication.

CISA also urged government agencies and private sector organizations using Microsoft’s Exchange cloud email platform in June to speed up the move from legacy auth methods without multifactor authentication (MFA) support to modern auth alternatives.

In September 2022, a new warning said that basic auth would get disabled in random tenants worldwide starting in October, with the option to re-enable a protocol once until the end of the year.

The outdated Exchange Online basic auth login method will be deprecated for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell (RPS), Exchange Web Services (EWS), Offline Address Book (OAB), Autodiscover, and Outlook (for Windows and Mac).

The SMTP AUTH protocol used for client email submissions will also be disabled in all tenants where it’s not being used.

These protocols will be disabled for basic auth use permanently during the first week of January 2023, with no way of re-enabling it again.

Microsoft says it has already disabled basic auth in millions of tenants that weren’t using it and toggled off unused protocols within tenants still using it to protect them from attacks exploiting this insecure login scheme.

“Our own research found that more than 99 percent of password spray attacks leverage the presence of Basic Authentication,” Microsoft 365 General Manager Seth Patton said in September.

“The same study found that over 97 percent of credential stuffing attacks also use legacy authentication. Customers that have disabled Basic Authentication have experienced 67 percent fewer compromises than those who still use it.”

After basic auth is deprecated, customers might experience various issues, including being unable to sign into Exchange Online starting January 2023.

The Exchange Team has also shared detailed information on how to stop using basic authentication to avoid having Exchange Online email applications no longer sign in or keep asking for your password.

“We’re making this change to protect your tenant and data from the increasing risks associated with Basic auth,” The Exchange Team added.

“Calling support will not help either, as they cannot re-enable Basic auth for you.”

 

%d bloggers like this: