How does Basic authentication work?
- The application sends a username and password with every request, and these credentials are frequently kept on the device. Basic authentication is enabled by default on most servers and services and is straightforward to configure.
Why is Microsoft getting rid of it?
- Basic authentication makes it easier for attackers to obtain user credentials (especially if the credentials are not protected by TLS), which enhances the likelihood that these stolen credentials would be misused against other endpoints and services. Moreover, the enforcement of Multifactor Authentication (MFA) is neither straightforward nor, in certain situations, even practicable when Basic authentication is enabled.
- Basic authentication is an obsolete standard in the industry. Since Microsoft’s initial announcement that they would disable it, the dangers posed by it have only escalated. There are superior and more effective options for user authentication.
The deprecation of basic authentication will prohibit the usage of app passwords with applications that do not support two-step verification.
What changed?
- Microsoft has removed Basic authentication from Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Autodiscover, Outlook for Windows, and Outlook for Mac.
- Additionally, they are disabling SMTP AUTH in all tenants where it is not used.
Important: This decision requires users to transition from apps using basic authentication to apps using Modern authentication. Modern authentication (OAuth 2.0 token-based authorization) includes numerous advantages and enhancements that assist in mitigating the drawbacks of basic authentication. OAuth access tokens, for instance, have a limited lifetime and are unique to the apps and resources for which they are provided; hence, they cannot be reused. Modern Authentication also makes it simple to enable and enforce Multifactor Authentication (MFA).
How does this change impact you?
- This modification affects your programs and scripts in many ways.
POP, IMAP, and SMTP AUTH:
- Microsoft introduced OAuth 2.0 support for POP, IMAP, and SMTP AUTH in 2020. Some client applications (Thunderbird, for example) have been modified to enable various authentication types, so users with up-to-date versions can modify their configuration to use OAuth. Outlook clients are not planned to support OAuth for POP and IMAP, but they can connect through MAPI/HTTP (Windows clients) and EWS (Outlook for Mac).
Exchange ActiveSync (EAS):
- Numerous people use mobile devices that are configured to use EAS. If they are using Basic authentication, this change will affect them.
Microsoft suggests using Outlook for iOS and Android for Exchange Online connections.
Microsoft Enterprise Mobility + Security (EMS) fully integrates into Outlook for iOS and Android, enabling conditional access and app protection (MAM) capabilities. Outlook for iOS and Android lets you secure your users and business data, and it supports Modern authentication by default.
There are several email apps for mobile devices that support Modern authentication. Typically, the built-in email programs for all popular platforms offer Modern authentication. Thus, the solution may be to ensure that your device is running the app’s most recent version. If the email app is up-to-date but still uses Basic Authentication, you may need to remove the account from the device and re-add it.
Outlook, MAPI, RPC, and Offline Address Book (OAB):
- Modern Authentication is enabled by default in all versions of Outlook for Windows released after 2016. Therefore, you are likely already using it. Exchange Online has discontinued Outlook Anywhere (previously known as RPC over HTTP) in favour of MAPI over HTTP. Outlook for Windows utilizes MAPI over HTTP, EWS, and OAB to access mail, configure availability and out-of-office, and download the Offline Address Book. All of these protocols are compatible with Modern authentication.
Outlook 2007 and 2010 are incompatible with Modern Authentication and cannot connect. Outlook 2013 requires a configuration to allow Modern Authentication; however, once the setting is configured, Outlook 2013 can use Modern authentication without any complications. As stated previously, Outlook 2013 requires a minimum level of updates to connect to Exchange Online.
Outlook for Mac supports Modern Authentication.
The changes mentioned in this article may influence your ability to connect to Exchange Online. Therefore, you should take the necessary measures to determine if you are impacted and to ensure you can continue to connect once the changes are implemented.
If your organization has multiple users:
It is advised that you study the impact on your users. Keep an eye out for Message Center entries that summarise your usage or declare that you have none.
Create a remediation plan once you know the users who are utilizing Basic Authentication. This may involve upgrading client software, reconfiguring applications, changing scripts, or contacting third-party app providers for updated code or applications.
If you need help with your HostPapa account, please open a support ticket from your dashboard.
