Microsoft Set to Disable Basic Authentication on October 1, 2022
Key Points:
- Basic authentication for Exchange (Online) will be discontinued as of October 1, 2022.
- Security and compliance risks are increased when using Basic Authentication.
- Microsoft recommends that you migrate to modern authentication before this date.
- Migrating to modern authentication will help keep your data safe and secure.
Microsoft has announced that Basic Authentication will be turned off permanently for Exchange Online as of October 1, 2022. Your Exchange account hosts your email, contacts, and calendar data, so it’s important to take action now to ensure a smooth transition for your business. Any application or device that uses Basic Authentication to connect to Exchange Online will no longer be able to do so after this date.
What Is Basic Authentication?
Basic authentication, also known as proxy authentication, is an authentication scheme to identify a user. It is typically used with a password or other secret information to verify the user’s identity. The username and password are typically stored on the user’s device.
While this method was the standard in the past, it is no longer considered secure. Cybercriminals can easily access this information, making it a high-risk authentication method. When users began transitioning from on-premise to cloud-based models, Microsoft recognized that many were still using basic authentication.
Now, Microsoft has set a deadline for the use of Basic Authentication for Exchange (Online). Anyone who has not made the switch to a more secure authentication method yet should begin doing so as soon as possible.
Alternatives to Basic Authentication
By ending support for Basic Authentication, Microsoft is forcing users to adopt more secure authentication methods, such as Modern Auth. Modern authentication is an umbrella term for various authentication methods that provide increased security over Basic Authentication.
Multi-factor authentication (MFA) is one type of modern authentication that requires users to provide more than one form of identification when logging in. This can include a password and a code sent to a user’s phone or email. MFA is a more secure authentication method because it makes it more difficult for cybercriminals to access users’ accounts.
Microsoft recommends that users adopt MFA as soon as possible to protect their data. However, MFA is not the only alternative to Basic Authentication. Users can adopt other methods of modern authentication, such as Azure Active Directory Conditional Access or Microsoft Intune. In addition, zero trust and real-time risk assessments can be used to secure your data further. Modern OAuth access tokens will reduce the risks associated with password reuse and enable conditional access policies to be enforced.
Why Is Microsoft Ending Basic Authentication?
Microsoft is taking this action to increase security for Exchange Online users. Basic Authentication sends your username and password in plain text, which can be intercepted by malicious actors. In today’s digital age, it’s more important than ever to keep your data secure, and Microsoft is committed to providing its users with the highest levels of security.
What Will Happen When Basic Authentication Ends?
After Basic Authentication depreciation in Exchange Online retires, legacy protocols like Exchange Web Services (EWS), Exchange ActiveSync (EAS), Post Office Protocol version 3 (POP3), Internet Message Access Protocol version 4 (IMAP4), and Remote PowerShell will no longer work.
SMTP Auth, however, will continue to work as it uses OAuth 2.0. SMTP will still be able because many multi-function devices connecting to Exchange Online use SMTP to send messages. These devices will be able to continue using SMTP after Basic Authentication is no longer supported. The devices include but are not limited to scanners, copiers, and fax machines.
Microsoft has already disabled many tenants not using the SMTP Auth protocol.
What Will the End of Basic Authentication Mean for My Organization?
Suppose your business uses any application or device that connects to Exchange Online using Basic Authentication. In that case, you will need to take action to ensure that these applications are updated to use a more secure authentication method. Otherwise, you will lose access to your email, contacts, and calendar data after October 1, 2022. Organizations can block Basic Authentication in Exchange Online by establishing authentication policies.
You will need to determine what will happen to any data stored on these devices or applications. You will also need to determine if any old user clients will need to be replaced and, if so, how you will do that. If any of your users are using Outlook 2010 or earlier, they will need to upgrade to a newer version of Outlook to continue using Exchange Online. Modern Auth first appeared in the Office suite with Outlook 2013.
Now is the perfect time to craft a plan to move away from Basic Authentication in your organization. This will ensure that you are prepared when the deadline arrives. There are a few things to keep in mind as you transition away from Basic Authentication:
- Verify that modern authentication is enabled for your Exchange Online tenant
- Make sure that you have a plan in place for any legacy protocols that will no longer work after Basic Authentication is deprecated
- Test your plan to ensure that it works as intended
- Train your users on the new authentication methods that they will be using
By following these steps, you can ensure a smooth transition for your organization and minimize disruptions to your business.
Retrofit Technologies Can Help You Transition Away From Basic Authentication
Retrofit Technologies is a Microsoft Partner and an expert in all things Microsoft Office 365. We can help you transition away from Basic Authentication in Exchange Online and ensure that your data is safe and secure.
From consulting and planning to implementation and training, Retrofit Technologies can help your organization make the transition to a more secure authentication method. Contact us today to learn more about our managed services, how we can help you protect your data and all possible options when Microsoft discontinues this vital service.