Security Active Directory Microsoft Exchange

Modern Authentication in Exchange Online

Thomas Stensitzki

Conceptual digital image of lock on circuit background

In their blog article, "Improving Security - Together," the Microsoft Exchange product group announced that the insecure Basic Authentication authentication method switches off on October 13, 2020, not just for Exchange Web Services (EWS), but also for Exchange ActiveSync (EAS), POP, IMAP, and Remote PowerShell.

Basic Authentication is an old authentication method that has weaknesses compared to modern authentication methods. As a result, this method of authentication is used by attackers to gain unauthorized access to resources. Exchange Online and Azure AD, as global cloud services, are exposed to an immense number of attacks of this nature. The disabling of Basic Authentication reduces the attack vector to your cloud resources.

Enhance Security with Modern Authentication

Modern authentication (Modern Auth) based on OAuth 2.0, combined with multi-factor authentication (MFA), provides better protection for accessing Exchange Online and other cloud resources. This type of authentication is not new, but many administrators refuse to activate Modern Auth for their tenants. The Office product Suite has supported Modern Auth since Office 2013.

For mobile devices, the situation is a bit different. In many cases, Exchange Online mailboxes are accessed using native email clients of the mobile operating systems. In the vast majority of cases, the native clients use the ActiveSync protocol (EAS). EAS, in turn, uses Basic authentication and therefore is no longer the appropriate protocol for accessing Exchange Online in the future. In this case, Outlook Mobile (Android / iOS) is the better alternative. With Outlook Mobile, you have the option of additionally securing the authentication of user accounts with MFA.

There are special challenges for SMTP, POP, and IMAP protocols. These protocols do not support modern authentication today. The fact that Modern Auth is not supported poses no problem for general access to user mailboxes since you access the mailboxes using MAPIoverHTTP protocol. The problem is rather for all applications that you have currently configured for POP / IMAP mailbox access and SMTP mail delivery through an Exchange Online service mailbox. These include ticket systems, ERP solutions, or individually programmed line-of-business applications (LOB).

The situation is similar for authenticating PowerShell scripts that are currently executed on your on-premises servers and perform actions against Exchange Online. You can already use the Exchange Online PowerShell module with MFA or Azure Cloud Shell today to authenticate the script user using Modern Auth

What Do I Have to Do?

Disabling Basic Authentication in Exchange Online has a direct impact on the IT infrastructure that is in your responsibility. To avoid service interruption for access to Exchange Online resources, you need to know which protocols users and applications utilize to access Exchange Online endpoints. The Exchange product group announced a software tool that helps you to analyze mailbox authentication methods and access protocols.

The solution for accessing Exchange Online mailboxes from Windows Desktop is simple. If you still have legacy Windows Desktop operating systems in the enterprise, move to Windows 10 as the standard operating system and migrate the Office installation to Office 2019 or Office 365 ProPlus. If your employees use POP or IMAP, clients move those clients to Outlook for Desktop.

Use Outlook Mobile for accessing Exchange Online mailboxes from mobile devices. Use a common Mobile Device Management solution to distribute Outlook Mobile to the devices in your enterprise. With Mobile Application Management (MAM) and Conditional Access, you can further increase security for mobile access to Exchange Online mailboxes.

Adapting Modern Auth for your automated PowerShell scripts is more difficult. You can implement the Exchange Online PowerShell module with MFA to run the scripts in the on-premises IT infrastructure and connect to Exchange Online. However, keep in mind that PowerShell scripts with a long-lasting executing time run into technical issues. If your scripts are affected by connectivity timeouts and script delays, called micro delays, you need to rethink the PowerShell script execution strategy. It may be better to use a professional software solution that provides native Modern Auth support to execute PowerShell scripts. PowerShell scripts that target Exchange Online or other Office 365 endpoints only can also run in Azure Automation.

It is also important to note that the deactivation of Basic authentication relates to Exchange Online. The on-premises version of Exchange Server is not affected.

Conclusion

The Exchange product group is aware of the challenges for the customers. The title of the original blog article Improving Security - Together has been chosen wisely. Better protection of Exchange Online mailboxes and other resources is only possible if the effort to increase the security is shared, that is, by you as an Office 365 customer and the Exchange product team.

Prepare yourself and your on-premises infrastructure for the disabling of Basic Authentication in Exchange Online. Create a realistic schedule for the necessary configurations and adjustments to complete the transition to Modern Auth by July 2020 at the latest.

Increasing safety is always accompanied by a loss of comfort. However, the gain in security is worth the effort, and the loss of comfort is acceptable.

Enjoy an even more secure Exchange Online.

Additional reading

Monitor Your Hybrid - Office 365 Environment with ENow

ENow’s solution is like your own personal outage detector that pertains solely to your environment. ENow’s solution monitors all crucial components including your hybrid servers, the network, and Office 365 from a single pane of glass. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.