News

Microsoft Details Plan to End Basic Authentication for Exchange Online

• By Kurt Mackie
• 02/26/2020

With Basic Authentication in Exchange Online set to lose support this fall, Microsoft on Tuesday shared details about the transition and highlighted potential hurdles for organizations.

Basic Authentication support will end on Oct. 13, 2020 when it's used with various e-mail protocols involved with the Exchange Online service. Those protocols include Exchange ActiveSync, Post Office Protocol (POP) and Internet Message Access Protocol (IMAP).

Additionally, Microsoft will drop support for Basic Authentication when it's used with Exchange Web Services on that same October date. It'll end support for "Remote PowerShell" when used with the Exchange Online service on that Oct. 13, 2020 date, as well.

These Basic Authentication end-of-support details were previously described by Microsoft back in September.

Microsoft has explained that it is ending support for Basic Authentication in Exchange Online because Basic Authentication is subject to "password spray" attacks, where attackers try commonly used passwords (such as "password") across an organization to gain a foothold. Microsoft instead wants organizations using Exchange Online to switch to so-called "Modern Authentication," using OAuth 2.0 tokens and the Active Directory Authentication Library.

Modern Authentication has an added benefit of supporting multifactor authentication, where a secondary means besides a password is used to affirm user identities. Basic Authentication lacks the multifactor authentication capability.

Finding Basic Authentication
The switch away from Basic Authentication will happen in perhaps eight months' time, but Microsoft is only just now offering up the tooling to help IT pros detect Basic Authentication use. The tooling, which finds client applications that are using Basic Authentication, is available via a Sign-ins item in the Azure Active Directory Admin Center portal, Microsoft's announcement explained.

Microsoft's Basic Authentication detection tool is still a work in progress, though. Moreover, it's just accessible right now by organizations having Azure Active Directory Premium licensing, although Microsoft plans to make it available more broadly. The steps to find Basic Authentication, as described in the announcement, aren't too straightforward.

Comments by readers of Microsoft's announcement generally noted that IT pros seem to have little time to detect Basic Authentication and prepare their scripts before Microsoft ends support.

Outlook Clients Affected
IT pros dealing with Basic Authentication end-of-support issues have another potential worry, namely Outlook clients. Outlook clients on macOS and Windows systems will be affected when Microsoft ends Basic Authentication support. Those clients will need to switch to using Modern Authentication before the October deadline. It's a detail that Microsoft forgot to mention in its September announcement.

Here's Microsoft's statement to that effect:

Both Outlook for Windows and for Mac are impacted by our turning off Basic Auth in Exchange Online. Both clients rely upon Exchange Web Services (EWS) and so if they are still using Basic Auth, they will be affected. Both clients need to be switched to use Modern Auth before October 2020.

For iOS and Android mobile devices, Microsoft is "strongly recommending you switch to Outlook for iOS and Android in favor of the native apps" when connecting to Exchange Online.

Any use of Basic Authentication by Outlook clients might signify that Modern Authentication was disabled in an Office 365 tenancy. Office 365 tenancies created 2.5 years ago may have Modern Authentication turned off, Microsoft's announcement suggested.

"If your tenant was created before August 1, 2017, that's most likely it (and that's precisely why this member of the Exchange Team's own O365 tenant is forcing him to connect with Basic -- so he needs to fix that -- sharpish)," Microsoft's announcement explained.

The good news is that Outlook clients may already be using Modern Authentication.

For instance, Modern Authentication is already supported in Outlook 2013 for Windows if a registry key is enabled. Modern Authentication is supported by default in Outlook 2016, and newer clients, on Windows systems. The same default support for Modern Authentication is present in Outlook for Mac 2016 and newer clients.

Also good news is that it's possible to simply look at the client login dialog box and know if Basic Authentication or Modern Authentication is used. Basic Authentication logins for the client show a dialog box with the old "User name" and "Password" fields simultaneously displayed.

Another check, on Windows systems, is to use the Outlook system tray icon's properties to view Outlook's "Connection Status." It'll show the word "Clear*" under the authentication field ("Authn") to indicate the use of Basic Authentication. The word "Bearer*" in that field signifies that Modern Authentication is used for the Outlook client.

Turning on Modern Authentication
Microsoft's announcement cautioned that switching to Modern Authentication has an effect across an Office 365 tenancy:

So if you need to enable Modern Auth on your tenant, go read about that here. But before you just flip the switch, we do want to point out that this change affects your entire tenant. Just make sure you understand how such things as Conditional Access might impact the authentication flow. 

The switch to Modern Authentication won't affect Exchange mailboxes housed in an organization's datacenter in so-called "hybrid" scenarios (meaning the simultaneous use of cloud services and resources housed on an organization's infrastructure).

"Also, if your organization is in Hybrid, know that turning on Modern Auth on the tenant doesn't impact your mailboxes on-premises," the announcement explained. "But you can enable Modern Auth there too. Read more about Hybrid Modern Authentication here."

Other Support
Microsoft's announcement added a note that it has completed work on supporting Modern Authentication for Office 365 tenancies using the POP or IMAP mail protocols, but the rollout timing wasn't described. It's also nearly done with adding Modern Authentication support for the SMTP protocol.

Microsoft also seems to be recommending the use of the Azure Cloud Shell for Exchange Online remote operations, as well as the Exchange Online PowerShell v2 module (currently in preview). However, it added that it is "absolutely committed to supporting non-interactive scripts via Remote PowerShell using Certificate Based Authentication," and is still working on the code.