News

Exchange Online Now Lets IT Pros Turn Off Basic Authentication

• By Kurt Mackie
• 10/18/2018

A new capability that allows IT pros to disable "basic authentication" when using the Exchange Online service is now available as a public preview, though there are a few caveats.

Basic authentication transmits a user name and password to Exchange Online to gain e-mail access, and it uses a bunch of older protocols to do so. Microsoft instead advocates using its so-called "modern authentication" process, which is based on the Active Directory Authentication Library and OAuth 2.0 tokens. It's a certificate-based identity and access approach that enables things like multifactor authentication, where an additional verification is required on top of a user's password to gain access.

The Wednesday announcement by the Exchange team admitted that the new preview has some major drawbacks. For instance, it's not possible to tell which end users in an Exchange Online tenancy are using basic authentication. If basic authentication blocking is enabled, it's not possible to check that the blocking is working. Moreover, the policy change that blocks basic authentication can take "up to 24 hours" to come into effect.

Microsoft possibly is working to remedy those drawbacks. However, it decided to release the preview anyway because of the increasing frequency of "brute force or password spray attacks," according to the Exchange team. In the password spray scenario, attackers try commonly used passwords, like "password," across users in an organization to find an access point.

The blocking of basic authentication will only work for end users whose identities have already been replicated to Azure Active Directory or Exchange Online, Microsoft's announcement noted.

Moreover, it's only possible to block basic authentication when an organization is using certain e-mail client applications that support modern authentication. Microsoft's support document listed those client apps as follows:

• Outlook 2013 or later (note Outlook 2013 requires a registry key change)
• Outlook 2016 for Mac or later
• Outlook for iOS and Android
• Mail for iOS 11.3.1 or later

Microsoft recommends disabling basic authentication "if your organization has no legacy email clients or doesn't want to allow legacy email clients."

The steps to enable or disable modern authentication are described in this support article. It apparently just involves running a PowerShell script.

Microsoft turns on modern authentication by default for users of Exchange Online, SharePoint Online and Skype for Business Online. However, modern authentication was apparently turned on by default for new Exchange Online hybrid tenancies starting back in August of last year. Older Office 365 tenancies didn't get this change, which implies they are still using basic authentication for some end users.