Microsoft Set to Turn Off Basic Authentication

In 2021, the Microsoft Exchange team announced that they would end support for any protocol on the Exchange Online Service that would be using Basic Authentication past the Oct. 13th, 2020, deadline.

Microsoft Set to Turn Off Basic Authentication: How Does This Affect You?

The massive rise in cyber insecurity in recent years has been a major concern among organizations and businesses. In a bid to mitigate these attacks or at least significantly reduce the risk, Microsoft announced its intention to turn off basic authentication for all its tenants on Microsoft 365.

In 2021, the Microsoft Exchange team announced that they would end support for any protocol on the Exchange Online Service that would be using Basic Authentication past the Oct. 13th, 2020, deadline. Such protocols would include Internet Message Access Protocol (IMAP), Post Office Protocol (POP), SMTP AUTH, MAPI, OAB, RPC, and Exchange ActiveSync.

However, due to the distractions from the COVID pandemic, it was difficult to actualize this major milestone, and in February 2021, the plan was postponed indefinitely. Everything is slowly going back to normal, and now companies have approximately one year to get ready to turn off Basic Authentication on all protocols.

Microsoft set a new date for the turn of an announced it in September 2021, stating that: “Today, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth.”

This change aims at improving security for all Microsoft 365 customers by offering them better and stronger security options other than the outdated Basic Authentication requirements.

How Does the Basic Authentication Block Affect You?

Microsoft is set to begin shutting down basic authorization for all of its tenant protocols in October 2022. After the shutdown, all clients who use basic authentication in the specific tenants will no longer connect to Microsoft 365.

Those using SMTH AUTH protocols will have a 12-48 hour window after the shutdown to move to modern authentication, but all other protocols will remain disconnected. Therefore, companies and organizations have some time to prepare for this transition and can move their Exchange Online organization to Modern Authentication before Microsoft turns off basic authentication.

How Should You Prepare for the Scheduled Basic Authentication Turn-off?

Before Microsoft turns off basic authentication on all protocols, you can start transitioning your systems to modern authentication so that you are not affected. This means you can turn off basic authentication for your organization and start using modern authentication right away.

Basic authentication requires a username and a password for a user to access the system. Even though this has been the standard for a system’s security, it now poses a significant risk on any system as a cyber attacker can easily steal this information.

On the other hand, modern authentication incorporates multiple authentication methods like Multi-factor Authentication (MFA), authorization methods like Open Authorization (OAuth), and a dedicated server for conditional access like Azure Active Directory (Azure AD).

Moving your organization’s systems from basic authentication to modern authentication will boost your security significantly and, in turn, keep attackers at bay.

Here are some steps you can follow to transition with ease.

1. Check if modern authentication is on your Exchange Online organization

Modern authentication is enabled automatically on every program, service, or app that connects to Microsoft 365. So you must first verify this and ensure that your Exchange Online organization has enabled modern authentication. Also, check your client emails and other apps to confirm whether they support modern authentication.

However, you might need to update things and make some changes if your company still uses any of the following:

  • Outlook 2013 – You’ll need to make changes in the registry before you enable OAuth.
  • Outlook 2010 or older – Email clients will not connect to Microsoft 365 if basic authentication is disabled.
  • Remote PowerShell – You’ll need to connect modern Exchange Online module V2 so that you can use modern authentication.

Suppose you are using any other app, add-in, or service that doesn’t support modern authentication. In that case, it’s time to upgrade or replace it so that it’s not affected when Microsoft shuts down basic authentication.

Here are some clients who support modern authentication:

  • Outlook 2013 or later (Outlook 2013 requires a registry key change. See Enable Modern Authentication for Office 2013 on Windows devices for more information.)
  • Outlook 2016 for Mac or later
  • Outlook for iOS and Android
  • Mail for iOS 11.3.1 or later

2. Disable basic authentication on the Exchange Online 

Once you confirm that your Exchange online organization supports modern authentication or upgraded any apps that could not support modern authentication, you can turn off basic authentication to start your organization running on modern authentication.

You can do this in three simple steps.

Step 1: Create the authentication policy

The new authentication policy should block basic authentication for all client protocols available on the Exchange online. The name you choose for the policy is permanent, and you cannot change it later, so make sure it clearly states what you want the policy to do.

Step 2: Assign the new authentication policy to the Exchange Online users

You can choose to assign the authentication to individual users or use attributed accounts like departments or titles. If only certain people need to change from basic authentication to modern authentication, you can assign the policy to a list of these specific people.

You can also remove the policy assignment after assigning it if the assigned individual doesn’t need it.  To do that, use the value $null for the Authentication Policy parameter on the Set-User cmdlet.

Step 3: Wait for the authentication policy to apply

Any policy assignment takes 24 hours to apply. So every user who receives the policy assignment will have their basic authentication disabled within that period, and then they can start using modern authentication.

If you’d prefer to apply the authentication policy immediately, you can use this syntax.

Set-User -Identity <UserIdentity> -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

The changes will be effected with 30 minutes, and the individual users can start using modern authentication right away.

Conclusion

Microsoft’s plan to change from basic authentication to modern authentication will be a little challenging for most clients. But. It’s a sure way to block out cyber attackers and keep the systems safe. It’s a task that requires everyone’s cooperation to secure the online space.

Pure IT is committed to helping you out on all things Microsoft. These include any Microsoft support and Microsoft networking needs your business may have. Contact us now.