Microsoft today warned that it will permanently disable basic authentication starting in early January 2023 to improve Exchange Online security.
“Starting in early January, we will send Message Center messages to affected tenants approximately 7 days before changing the configuration to permanently disable the use of Basic Authentication for the affected protocols,” the Exchange team said. . said tuesday.
“Shortly after Basic Authentication is permanently disabled, all clients or applications connecting using Basic Authentication to any of the affected protocols will receive a username/password error. password/HTTP 401 bad.”
This announcement comes after several reminders and warnings issued by Redmond over the past three years, the first published in September 2019 and two others in September 2021 and May 2022 after many customers delayed switching to modern authentication.
CISA also urged government agencies and private sector organizations to use Microsoft’s Exchange cloud messaging platform in June. to speed up the transition from legacy authentication methods without multi-factor authentication (MFA) support to modern authentication alternatives.
In September 2022a new warning stated that basic authentication would be disabled in random tenants around the world starting in October, with the option to re-enable a protocol once until the end of the year.
The deprecated Exchange Online Basic Authentication login method will be deprecated for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell (RPS), Exchange Web Services (EWS), Offline Address Book (OAB), Autodiscover, and Outlook (for Windows and Macs).
The SMTP AUTH protocol used for client email submissions will also be disabled in all tenants where it is not used.
These protocols will be disabled for basic authentication use permanently in the first week of January 2023, with no way to re-enable them again.
Microsoft says it has already disabled Basic Authentication in millions of tenants who weren’t using it and disabled unused protocols in tenants who were still using it to protect them from attacks exploiting this insecure login scheme.
“Our own research found that over 99% of password spray attacks exploit the presence of Basic Authentication,” Microsoft 365 chief executive Seth Patton said in September.
“The same study found that over 97% of credential stuffing attacks also use legacy authentication. Customers who disabled basic authentication experienced 67% fewer compromises than those still using it.”
After Basic Authentication is deprecated, customers may experience a variety of issues, including the inability to connect to Exchange Online as of January 2023.
The swap team also shared detailed information about how to stop using basic authentication to prevent Exchange Online mail applications from stopping connecting or continuing to ask for your password.
“We are making this change to protect your tenant and your data from the increasing risks associated with Basic Authentication,” the Exchange team added.
“Calling support won’t help either, as they can’t re-enable basic authentication for you.”