Time is running out to prepare for the removal of Basic Authentication on Exchange Online, which could cause issues if updates aren’t made by Microsoft’s deadline.
Companies that use Active Directory for identity management have relied on basic authentication to allow users to access desktops, network resources, and other services within the environment. As more and more organizations use online services, this legacy authentication approach is not secure enough. Microsoft recognized the high risk associated with Basic Authentication and pushed to move to the more secure Modern Authentication. Support for Basic Authentication in Office 365 ends on October 1, requiring businesses that rely on the platform to prepare for this Modern Authentication deadline from Microsoft.
Why basic authentication lacks security
Technically, there are several reasons why Basic Authentication is not a sufficiently secure method of authentication. Every request to connect to an application or website, even using secure methods such as HTTPS, puts the company at risk by transmitting the username and password, which can lead to information leakage. user identification. Multi-factor authentication (MFA) can be difficult or impossible with basic authentication in place. Finally, Basic Authentication has also not received significant changes or updates to products that depend on it for authentication, such as the Microsoft Identity Platform.
For modern authentication, customers have several authentication alternatives that do not rely on the basic username and password exchange, such as OAuth and SAML. These and other federation methods support a much more secure alternative to basic authentication that relies on token-based claim for access to Internet resources and services. Microsoft Modern Authentication uses the OAuth2 protocol and security tokens that administrators use to approve or revoke access to resources. The modern authentication method eliminates some of the risks associated with exchanging a username and password each time a user needs to authenticate.
Office 365 services that will be affected by the modern authentication delay
Without a migration to Modern Authentication by October 1, several Office 365-related domains will not work properly past Microsoft’s deadline.
Basic authentication in Exchange Online. Microsoft will stop supporting Basic Authentication in Microsoft Exchange Online services on October 1. Components related to the hosted email platform that will not work include Exchange Online for Exchange ActiveSync, Exchange Web Services, IMAP, Offline Address Book, POP, and Remote PowerShell.
Outlook client support for Exchange Online. After the deadline, some older versions of Microsoft Outlook will not receive email, including Outlook 2010 and Outlook 2013 for Windows and Outlook for Mac 2011. Organizations using these legacy versions will need to upgrade to avoid disruption.
Compliance and cybersecurity. The increase in email phishing attempts and hacked user accounts has caused many companies, including several cybersecurity firms, to mandate the use of MFA for email. In Office 365, modern authentication is required for MFA.
How to Enable Modern Authentication
The move to modern authentication affects the entire organization. It changes how the system authenticates users across a range of resources, including third-party apps, PowerShell scripts, and the Microsoft Office suite. Microsoft offers an Azure Active Directory (AD) sign-in report that shows systems that rely on basic authentication to help administrators understand the scope of the migration effort.
If users are running a version of Outlook later than 2013 that supports Modern Authentication, the switch is simple. After modern authentication is enabled, the user restarts Outlook and authenticates again.
For a tenant, admins enable Modern Authentication from the drop-down menu in the Office 365 admin center in the Settings>Organization Settings>Modern Authentication section. Exchange administrators also have the option to block the use of basic authentication before the October deadline by unchecking the options under the Allow access to basic authentication protocols section in the same menu.
Enable Modern Authentication with PowerShell
Administrators can use PowerShell commands to enable Modern Authentication. First, the administrator must determine if modern authentication is already in use with the following command:
Get-OrganizationConfig | Name FT, OAuth2ClientProfileEnabled
If the output is True, the tenant is already configured with MFA. If the value is False, the administrator can run the following command to set authentication to modern:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Plan ahead to avoid disruption
With the Basic Authentication expiration date fast approaching, businesses don’t have many options but to make the switch.
Organizations with outdated Office products may be the first to find that they can no longer keep those older versions. Organizations that want to improve their security posture will find that a migration to modern authentication improves their ability to mitigate certain security gaps. Now is the time to prepare for the transition to avoid issues with email and other Office 365 services.