Basic Authentication Considerations for Office 365

If you’re using Office 365, you would already know about the benefits like Workplace Analytics that come with the package. You should also be aware of Microsoft’s intention to end Basic Authentication support for five Exchange Online protocols this year. The primary objective is to address security concerns effectively—for example, issues like password spray attacks.

As such, Microsoft already blocked the following protocols last October:

  • ActiveSync
  • EWS
  • IMAP
  • POP
  • Remote PowerShell.

So, if you haven’t already, you should immediately shift your Microsoft 365 protocols to “modern authentication.” This approach ensures that you enable the Active Directory Authentication Library (ADAL)-based login for your Office 365 client (including apps and support features).

While the tech giant was set to disable more Basic Authentication protocols in April, there has been a considerable change of plans due to the long-reaching effects of the COVID-19 pandemic.

While the goal to disable Basic Authentication in Exchange Online is still (very much) on, the date for a complete shutdown has been postponed (indefinitely). The good news is that this gives us more time to prepare and get tenants ready for the inevitable.

What Should Enterprises Using Office 365 Do to Get Ready?

If you engaged in this activity last year, you would already know that blocking legacy protocols isn’t straightforward. However, you have to do it as the consequences can potentially lead to a disastrous security event.

Microsoft 365 users must be aware that there are several unnecessary legacy protocols that remain switched on in their tenant. However, if you activated security defaults, then these will be blocked in newly created tenants. By blocking these unused protocols (and preventing any potential misuse), you can better secure your enterprise infrastructure.

Each application or service that connects to Office 365 must authenticate itself. When basic authentication is disabled in the near future, all programs that leverage legacy application protocols to connect to Exchange Online will stop working.

To avoid disruption, data loss and ensure business continuity, you have to take some action!

If you’re using Outlook 2010 (or an older version), your email clients won’t be able to connect to Office 365 once basic authentication is disabled. Those using Outlook 2011 for Mac should be aware that it won’t support Modern Authentication.

Companies still using Outlook 2013 have to make some changes to the registry to enable OAuth 2.0 and keep using it. As Remote PowerShell is on its way out, make sure to switch to the modern Exchange Online PowerShell V2 module.

If some tenants have already been qualified for disabling Basic Authentication, IT departments will have to get to work updating or upgrading the software on multiple workstations. In other words, IT administrators across Australia must (if they haven’t already) start preparing for what will eventually come.

As Outlook relies on Exchange Web Services (EWS) to run its core features, tenants still using Basic Authentication must enable modern authentication before it’s disabled.

Basic Authentication vs. Modern Authentication

While this forced switch might feel overwhelming or just plain frustrating, you have to remember that it’s for your own good.  ADAL-based modern authentication and OAuth 2.0 are far more secure than Basic Authentication protocols.

Why?

Basic Authentication demands that each app or software pass your credentials such as your login and password with each and every request. Whenever this is the case, the program stores your user credentials within its settings. This increases your exposure to risk as threat actors can potentially exploit this vulnerability and gain access to your IT infrastructure.

This legacy approach also fails to support grading or scoping permissions. This means that any app connecting to Microsoft 365 using Basic Authentication protocols can access all user data. In the current threat landscape, it’s best to only enable access to data and application resources needed to work seamlessly and not one bit more.

Once you make the switch to modern authentication protocols, you’ll add another layer of security. This approach will go a long way to support your established security and privacy policies.

To learn more, go to Microsoft’s blog HERE or contact IT support.