Microsoft is issuing yet another alert to Exchange Online users who continue to utilize Basic Authentication, this time, 150 days from its final active status. In a post on the Exchange Team Blog, Microsoft references its first warning back in September 2021, when the company urged customers and partners to move their clients away from the use of Basic Authentication and towards Modern Authentication.
With a deadline of October 1, 2022, looming just 150 days out, Microsoft is once again encouraging customers and partners to begin the transition to Modern Authentication due to the increasing number of compromises that are occurring due to high levels of attack threats in recent days. Per the company:
As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing. We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.
Microsoft goes into further details about the sunsetting of Basic by listing the protocols that will lose access to it automatically on October 1, 2022, such as, MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell. According to Microsoft:
For customers and partners using SMTP AUTH, they will keep the ability to manually shut it down after the October 1 deadline but Microsoft strongly encourages users to end access. While there will be no exceptions after October 1, 2022 to the use of Basic, Microsoft has put together a list of things to do to prepare over the next 150 days.
If you have Outlook for Windows, make sure it’s up to date, has the right registry keys in place and most importantly – that the tenant-wide switch to enable is set to True! Without that setting Outlook for Windows won’t use Modern Auth. So, turn it on. If clients are already logged in to another Microsoft 365 app, such as Teams, they are already authenticated and so it’s very likely they will not see any kind of auth prompt. We are turning this setting on for customers as we disable Basic Auth for MAPI/RPC in the tenant, but not before. We want to make sure Outlook can connect using Modern Auth once Basic Auth is disabled. Outlook doesn’t support OAuth with POP and IMAP – if you want to use POP and IMAP, with a client app, you’ll need another app.
- POP/IMAP – we have several customers using these protocols for application access. POP and IMAP both support OAuth for interactive applications, and we’re rolling out support for non-interactive flows now. If you are a developer you’ll know where to look, and if you do that right now you’ll find the IMAP.AccessAsApp and POP.AccessAsApp permissions. We’ll have some guidance on how to use them very soon, so watch out for that.
- EWS apps – we also have several customers with apps that use EWS and Basic Auth. EWS supports app-only access and you can use Application Access Policies to control what an app can access – if you have apps using EWS with Basic Auth, you need to either modify the code, or get the app owner to do so. Many partner apps have support for Modern Auth, you just need to modify your configuration or update to the latest versions. Do it now!
- ActiveSync – all the native apps on up-to-date clients support Modern Auth, but many users devices are still using Basic Auth. If you use an MDM/MAM solution, use it to deploy new profiles. Here’s how you can use Intune to set the auth mechanism for iPhone and iPad, for example. If you don’t have an MDM, simply remove and re-add the account from the device and it should automatically switch to Modern Auth.
- PowerShell scripts – If you have scripts you need to run, follow this guide to use Modern Auth in your scripts.
- Reporting Web Services – the support for OAuth is rolling out now (to be completed by end of May). Basic Auth will be disabled starting October 1.
- Microsoft Teams Rooms – make sure they are using Modern Auth by following these steps.
Microsoft says it will issue another warning similar to today’s post about 7 days out from Basic Auth but following October 1, 2022 customers and partners will be on their own.