Microsoft to disable old school authentication for Exchange Online

Microsoft has announced that it will begin disabling the HTTP Basic Authentication-based authentication scheme.

The move will impact random tenants using Exchange Online worldwide starting October 1, 2022.

The move to do away with the old-fashioned authentication process, which dates back to the early 90s, was announced in September 2021, after initially being pushed back due to the pandemic.

What is Basic Authentication?

Basic authentication is a method that allows an HTTP user agent, such as a web browser, to supply a username and password when making a request.

Microsoft says there will be no way to request an exception after October 2022.

However, Basic Authentication can be disabled at the user’s discretion via Microsoft Authentication Policies.

What should users do?

Microsoft’s documentation page lists some of the most common user issues and what can be done to switch from Basic Authentication to Modern Authentication.

This advice includes ensuring that the Outlook for Windows Mail Service is fully up-to-date and has the correct registry keys and, most importantly, according to Microsoft, that the switch to be enabled tenant-wide is set to “True”.

Microsoft reiterated that the “absolute best way” to disable Basic Authentication is to use its Authentication Policies feature.

Microsoft has warned users not to use Set-CASMailbox or Conditional Access because they are both post-authentication and although they prevent data access, they do not stop authentication access.

Microsoft didn’t specifically explain the reasons for trying to improve its credential management, but it said basic authentication “is still one of the most common, if not the most common, means for our customers from being compromised, and these types of attacks are on the rise.”

“We’ve disabled Basic Authentication in millions of tenants that weren’t using it, and we’re currently disabling unused protocols in tenants that still use it, but every day your tenant has Basic Authentication enabled , you are at risk of attack.”

The news follows recent findings by cybersecurity firm Guardicore which revealed that a design flaw in an integral feature of the Microsoft Exchange mail server can be abused to harvest Windows domain and application credentials.

The report indicates that the problem exists in the Microsoft Autodiscover protocol, which helps email clients discover Exchange mail servers in order to receive the correct configurations.

Email remains an extremely common endpoint that leaves organizations exposed to cybercriminals, and Microsoft has been active in adding to its email security offerings.

The company recently added a new layer of security to its Office 365 email service with the aim of improving the integrity of incoming and outgoing messages.

The company says the new protection, SMTP MTA Strict Transport Security (MTA-STS), a feature first announced in the second half of 2020, resolves issues such as expired TLS certificates, issues with third-party certificates or protocols security not supported.

Leave a Comment