Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
For many years, client apps have used Basic Authentication to connect to servers, services and endpoints. It is enabled by default on most servers and services and it’s super simple to set up. Basic Authentication simply means the application sends a username and password with every request (often stored or saved on the device).
Simplicity isn’t at all bad in itself, but Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials (particularly if not TLS protected), which in turn increases the risk of credential re-use against other endpoints or services. Multi-factor authentication (MFA) isn’t easy to enable when you are using Basic Authentication and so all too often it isn’t used.
Simply put, there are better and more effective alternatives to authenticate users available today, and we are actively recommending to customers to adopt security strategies such as Zero Trust (i.e. Trust but Verify) or apply real time assessment policies when users and devices are accessing corporate information. This allows for intelligent decisions to be made about who is trying to access what from where on which device rather than simply trusting an authentication credential which could be a Bad Actor impersonating a user.
With these threats and risks in mind, we’re taking steps to improve data security in Exchange Online.
What We’re Changing
Last year we announced we are turning off Basic Authentication for Exchange Web Services on October 13, 2020. Today, we are announcing we are also turning off Basic Authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell at the same time – October 13, 2020.
We want your help in getting users to move away from apps that use Basic Authentication, to apps that use Modern Authentication. Modern Authentication (which is OAuth 2.0 token based auth) has many benefits and improvements that help mitigate the issues present in Basic Authentication. For example, OAuth access tokens have a limited usable lifetime and are specific to the applications and resources they are issued for so they can’t be re-used. Enabling and enforcing MFA is also very simple with Modern Auth.
Please note this change does not affect SMTP AUTH – we will continue supporting Basic Authentication for the time being. There is a huge number of devices and appliances that use SMTP for sending mail, and so we’re not including SMTP in this change – though we are working on ways to further secure SMTP AUTH and we’ll share more on that in due course. Nor does this change affect Outlook for Windows or Mac assuming they are already configured and using Modern Auth (and they really should be).
How This Impacts You
This change might affect some of your users or apps, so we wanted to provide additional information to help you in identifying and deciding upon an action plan.
Firstly, how does this impact your own tenant administration? You probably use Remote PowerShell (RPS) to access Exchange Online, hopefully with the MFA module. If so, you might also consider switching some of your day to day usage to using PowerShell within Azure Cloud Shell. We are also making significant investments in RPS to make the MFA module work better and we’ll be sharing some more information on that in due course.
Finding impacted users
The next action you really need to be thinking about is assessing client impact. The first question you probably have is – so how do I know who’s using Basic Authentication in my tenant? Great question, and soon we’ll make a report available to help you easily answer that question for yourself. It’s a report that provides tenant admins with a simple way to determine who is using Basic Auth so you, the admin, can see how large of a task you have on your hands.
Once you understand what your users use, and know if they are using Basic or Modern Authentication, what can you do about it? Each of the impacted protocols have options.
POP and IMAP
So let’s talk about POP and IMAP. We know there’s still some usage out there, not much, but some. We’re planning on adding OAuth support to both POP and IMAP in the next few months. If you want to keep using these protocols, you’ll need to update the app to one that supports Modern Auth. Or better yet – get the user to use a more modern client (did you know we’ve added shared mailbox support to the Outlook app for iOS and Android? That’s one reason some people have been using POP and IMAP), or get the application developer to start using OAuth.
The client app you might have the most usage with probably uses Exchange ActiveSync. There are many users out there with mobile devices set up with EAS. If they are using Basic Auth (and many of them are), now’s the time to do something about that. What are your choices?
Without doubt, we believe the best mobile device client to use when connecting to Exchange Online is Outlook mobile. Trusted by over 100M users across the world, Outlook mobile fully integrates Microsoft Enterprise Mobility + Security (EMS) enabling conditional access and app protection (MAM) capabilities. Outlook mobile helps you secure your users and your corporate data, and it natively supports Modern Authentication.
There are of course other email apps for mobile devices that support Modern Authentication too, so that’s another option.
For users that don’t want an app, or for users that have a device for which there is no app, they could switch to the browser on their mobile device. Outlook on the Web is used by millions of users every month, it’s feature-rich and we have a version ideal for mobile browsers. You can access it on a mobile device by navigating to https://outlook.office365.com. We’ll know it’s a mobile device you are using so we have a special experience just waiting for you. Go try it.
We know the change from Basic Auth to Modern Auth will potentially cause some disruption. For some users, any time they have to do something different, it’s challenging for them, but we want to do this together to improve security and protect your data and your users data. Disabling Basic Authentication and requiring Modern Authentication with MFA is one of the best things you can do to improve the security of data in your tenant, and that has to be a good thing.
The last thing to make clear - this change only affects Exchange Online, we are not changing anything in the Exchange Server on-premises products. We think turning off Basic Auth on-premises is a great idea too, by the way, and here’s something we published recently on that subject.
We know this is big news and we’re here to help. Please do leave us comments or questions and we’ll do our best to help.
The Exchange Team