Basic Authentication and Exchange Online – September 2021 Update
Last week Microsoft announced that, effective October 1, 2022, they will beginto permanently disable Basic Auth in all tenants, regardless of usage (with the exception of SMTP Auth). Why the sudden change from their February 2021 announcement about postponing disabling Basic Auth for protocols in active use by tenant until further notice, yet Microsoft would continue to disable Basic Auth for all protocols not being used? We have the answers and the FAQs for you.
Basic Authentication is an outdated industry standard, and threats posed by Basic Auth have only significantly increased in the time since Microsoft originally announced they were making this change. The original announcement was titled ‘Improving Security – Together’ and that’s never been truer than it is now. There is a need to work together to improve security, and Microsoft’s end goal is turning off Basic Auth for all their customers.
FACT: Every day Basic Auth remains enabled in your tenant, your data is at risk. Your role today should be to get off Basic Auth, move to stronger and better options, and then secure your tenant.
IMPORTANT: Any client or app using Modern Auth will not be affected.
Microsoft continues its focus on improving security. Microsoft’s diligence and work has already protected millions of Exchange Online users – see how they have been thwarting and tracking attacks. Back in June they provided a security update regarding disabling Basic Auth for tenants not using it. Even with the continuous security improvements, Microsoft has made it official (as of the writing of this article) that effective October 1, 2022, Basic Auth in all tenants will begin to be permanently disabled, regardless of usage (with the exception of SMTP Auth, which can still be re-enabled after that). Now is the time to start planning your move to Modern Auth if you haven’t done so already.
How do I know if my tenant is using Basic Auth? Take a look at the Azure AD Sign-In log, as it can help identify ‘unexpected’ usage. Microsoft is also going to start sending Message Center posts to tenant admins summarizing their usage (or lack of).
How will I know if this change will affect my tenant? If the Azure AD Sign-In log shows Basic (legacy) Auth usage, this change will affect your tenant.
I thought Microsoft said they were not going to completely disable SMTP AUTH? You’re right, they did, in blog posts here and here. Microsoft is still going to continue to disable SMTP AUTH for tenants who don’t use it, but they will not be changing the configuration of any tenant who does. You still should move away from using Basic and SMTP AUTH though if you can, as it does leave you exposed. Don’t forget, you can disable it at the tenant level, and re-enable on a per-user/account level as described here.
How can I get a longer exception? I still want to use Basic Auth after October 2022 Microsoft is not providing the ability to use Basic Auth after October 2022. You should ensure your dependency on Basic Auth in Exchange Online has been removed by that time.
If I’ve set up Authentication Policies, or Conditional Access to block legacy auth, how will I know it’s safe to remove these and not re-open myself to the risks posed by Basic Auth? Keep watching the Message Center in your tenant. Microsoft will send Message Center posts in advance of them making a change to your Basic Auth configuration, and again once they’ve made the change.
What is Microsoft doing with Application Access Policies? We’ve been trying to get our apps to use these to secure them more granularly, but with only 100 policies available, that’s impossible! Microsoft understands many larger customers are already working on migrating thousands of service principals to our modern API. They’ve heard feedback regarding these limitations. Microsoft has recently announced it is in their plans to support 10,000 or more of these assignments per tenant – more details from Microsoft are forthcoming. However, don’t let this hold you back – it’s time to start planning to migrate your Basic Auth and legacy API applications to Microsoft Graph and Modern Authentication.
Exchange Hybrid and Office 365 Monitoring and Reporting
On-premises components, such as AD FS, PTA, and Exchange Hybrid are critical for Office 365 end user experience. In addition, something as trivial as expiring Exchange or AD FS certificates can certainly lead to unexpected outages. By proactively monitoring hybrid components, ENow gives you early warnings where hybrid components are reaching a critical state, or even for an upcoming expiring certificate. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.
AmyKelly Petruzzella is a marketing executive who focuses on Microsoft Exchange, Office 365, and Active Directory trends, challenges, and business outcomes for enterprises. Over the years, AmyKelly regularly engages with Gartner industry analysts, and she has been recognized several times for Top 50 Microsoft Marketing Excellence. She is a frequent speaker and blogger and an industry veteran who advocates for women in technology.
Part 3: Steady State in Tenant to Tenant Migrations