Deprecation of Basic authentication in Exchange Online

ChristineM 41 Reputation points
2022-09-22T07:00:21.273+00:00

Hello,

I am really confused on https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
Can someone help me understand what is going to happen after 1st October?

I have free Azure AD license.

If i dont enable Security Defaults or 'per user MFA' for users, will be they enforce to multi factor after 1st october?
I mean.. I still want to user single factor auth (i dont want to use an authenticator app or a CODE sent on phone so i can log in)

What changes do i have to do? I checked ON modern auth 243823-image.png. I check azure ad sign in logs and i dont have any users using basic protocols. Is it something else i have to check and do?

So what exactly happens?

Thank you.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,245 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,394 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,845 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Harpreet Singh Matharoo 7,571 Reputation points Microsoft Employee
    2022-09-22T07:17:00.473+00:00

    Hello @ChristineM

    I would like to share my response as below:

    What is Basic Auth:
    Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device. Traditionally, Basic authentication is enabled by default on most servers or services, and is simple to set up. Simplicity isn't at all bad, but Basic authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services.

    For more information you can review following video link: Identity Architecture: Legacy authentication | Azure Active Directory

    What is Modern Auth
    Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with. It includes:

    • Authentication methods: Multifactor authentication (MFA); smart card authentication; client certificate-based authentication
    • Authorization methods: Microsoft's implementation of Open Authorization (OAuth)
    • Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access

    For more information you can review following video link: The basics of modern authentication - Microsoft identity platform

    What are we changing and what do you need to be aware of?
    We will be disabling Basic Auth access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. If your user use any of these protocols, they might not be able to login. We will post a message to the Message Center 7 days prior, and we will post Service Health Dashboard notifications to each tenant on the day of the change.

    We will not be disabling or changing any settings for SMTP AUTH.

    If you have removed your dependency on basic auth or if you do not find any basic auth sign-in in your tenant, then this will not affect your tenant or users. If you have not (or are not sure), check the Message Center for the latest data contained in the monthly usage reports we have been sending monthly since October 2021. The data for August 2022 will be sent within the first few days of September.

    What you need to do prior to 1st October to make sure there is no impact?
    I reviewed the screenshot uploaded and we can confirm that Modern Auth is enabled on your tenant. Enabling Modern Auth means your user would be able to perform MFA when using Office Applications if the client supports the same. This change does not mean that you need to enable Security Defaults. Even if you use Per-User MFA it would be fine and supported.

    Microsoft has been posting content on deprecation of Basic Auth since 2018. I would like to share following few blogs posts by Exchange team which would give you better insights and understanding about the change:

    I hope this helps and answers your query.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. giacchino cardella 1 Reputation point
    2022-10-03T06:18:04.48+00:00

    246951-image.png

    0 comments No comments