Microsoft Warns Exchange Online Basic Auth will be Disabled
Microsoft warned customers today that it will start disabling Basic Authentication in random tenants worldwide on October 1, 2022.
This reminder comes after the company’s September announcement and after seeing that there are still lots of customers who haven’t yet moved their clients and apps to Modern Authentication.
Basic Authentication (aka proxy authentication) is an HTTP-based auth scheme apps use to send locally stored credentials in plain text to servers, endpoints, or online services.
This allows attackers to capture credentials via man-in-the-middle attacks over TLS or guess them in password spray attacks. They can steal the clear text credentials from apps using basic auth using various tactics, including info stealing malware and social engineering.
Modern Authentication (Active Directory Authentication Library and OAuth 2.0 token-based authentication) uses OAuth access tokens with a limited lifetime that can’t be re-used to authenticate on other resources besides those they were issued for.
To make things even worse, enabling multi-factor authentication (MFA) is quite complicated when using basic auth, and it often isn’t used at all.
After toggling on modern auth, enabling and enforcing MFA become a lot less complicated, allowing for better security in Exchange Online as a direct and immediate result.
“As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing,” the Exchange team said.
“We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.”
Microsoft will disable Basic Auth for the MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell protocols.
SMTP AUTH has already been disabled on millions of tenants that weren’t using it and Microsoft will not disable it where it’s still in use.
To be clear, we will start on October 1; this is not the date we turn it off for everyone. We will randomly select tenants, send 7-day warning Message Center posts (and post Service Health Dashboard notices), then we will turn off Basic Auth in the tenant. We expect to complete this by the end of this year. You should therefore be ready by October 1. – The Exchange Team
Why is Microsoft deprecating basic auth?
There are many reasons why Redmond’s switch to Exchange Online modern authentication in all tenants is the right one, some of them already detailed above.
However, a Guardicore report from September 2021 further highlights the importance of pushing as many Exchange Online users away from basic auth.
Amit Serper, at the time Guardicore’s AVP of Security Research, showed how hundreds of thousands of Windows domain credentials were leaked in plain text to external domains by misconfigured email clients using basic auth.
To disable Exchange Online Basic Auth before Microsoft fully decommissions it, you have to create and assign auth policies to individual users using the procedure detailed on the Exchange Online support website.
“There is no way to request an exception after October. Tenant selection is random, and we cannot put your tenant to the back of the queue to give you more time or change your settings on any specific date,” the Exchange team warned.
“If you want Basic Auth to be disabled at a time of your choosing (either now, or as soon as you are ready), use Authentication Policies.”
You can find more info on how to prepare for October’s Basic Auth deprecation and the best way to disable Basic Auth beforehand in the blog post published by The Exchange Team today.
Update May 0, 14:48 EDT: Corrected paragraph detailing basic auth risks.