Microsoft is deprecating Basic Authentication in Office 365 in the second half of 2021. To avoid disruptions to your client and application connectivity, it’s time to implement a switch to Modern Authentication ahead of that deadline.
What is Basic Authentication and why you should be concerned
Basic Authentication uses a username and password to pass security requests made by Applications. Also called Legacy Authentication, Basic Authentication does not support advanced security solutions such as Multi-Factor Authentication (MFA), so it relies solely on the strength of the password. The problem with Basic Authentication is that modern tools and techniques used by attackers can collect these credentials through the requests. Also, it is vulnerable to the more direct brute force or password spray attacks used to locate accounts with weak passwords. Once the account is compromised, the attacker then has enough access to perform inside attacks against the rest of the users in your business.
Modern Authentication to the rescue
To solve the Basic Authentication risks, Microsoft introduced Modern Authentication about 4 years ago. Modern Authentication stems from ADAL (Active Directory Authentication Library) and OAuth 2.0. Unlike Basic Authentication, Modern Authentication option adds support for more robust security features such as MFA, smart card, and certificate-based authentication. Enabling any of these additional security functions helps protect the accounts from a simple password compromise.
Microsoft is deprecating Basic Authentication in Office 365
Microsoft announced that Basic Authentication will be retired in the second half of 2021. The delayed retirement from the original October 13, 2020 date was due to the pressures on their customers and partners associated with COVID-19. Currently, all partners that created products which are connecting to Office 365 via Basic Authentication are rapidly upgrading their solutions to support Modern Authentication ahead of that date. Since Basic Authentication will be retired, you will want to implement a switch to Modern Authentication ahead of that deadline to avoid disruptions to your client and application connectivity.
Options to disable Basic Authentication
The Conditional Access Policies, which come with Azure AD Premium, are a simple and flexible way to prevent Legacy Authentications from getting through to all the Office 365 services. The problem is that not everyone has an Azure AD Premium subscription. Understanding this, Microsoft introduced other options as well; you can enable the Security Defaults policy in Azure AD, which will have the following impacts:
- Multi-factor authentication is enabled for every user.
- Users will have 14 days to complete the registration after enablement.
- The only MFA options are the Microsoft Authenticator app or a Hardware Token (no phone calls or SMS).
- Users will be prompted for MFA ‘whenever necessary’.
- Multi-factor authentication is enabled for all administrator roles.
- All legacy authentication protocols are blocked.
- Note – App Passwords (which are a workaround) for legacy applications and services are also blocked.
In addition, many of Office 365 Primary services can disable basic authentication per-service. These options are available for configuration via remote PowerShell.
Client and Application support
When disabling Legacy Authentication your client and application requirements need to be considered to avoid disruptions. Currently, only the following are supporting Modern Authentication:
- Outlook 2016 and higher
- Office 2013 with the latest patches have support until October 2020
- Outlook for Mac 2016 and higher
- Mobile devices
- Outlook for iOS or Android
- Apple iOS apps (mail, calendar, contacts) from iOS 11 and higher
- Gmail app on Android as of the build from April 2020 or newer
- Nine Mail
- Administration via remote PowerShell to Office 365 services only when using the newer PowerShell Modules
This means that Office 2010, IMAP, POP3, SMTP, ActiveSync clients that do not support Modern Authentication, and older methods of managing Exchange Online using Remote PowerShell will be unable to connect. Microsoft is currently working on Modern Authentication support for IMAP, POP3, and SMTP so that vendors can adapt their applications and services to it.
Identifying Legacy Authentication Requests
Microsoft created a way to identify the Basic Authentication requests to your Office 365 tenant. In the Azure Active Directory portal, there is a dashboard called “Sign-ins” located under the Monitoring section. Once there, you can add another Filter called “Client App”. This filter allows you to display just the Legacy Authentication requests which occurred over a time period you define. This will allow you to identify any Basic Authentication to your environment so you can take appropriate action prior to forcing Modern Authentication.
Screenshot of the Client App filter:
You’ll find more information about generating the reports on the Microsoft Exchange Team Blog.
Understanding IT services and security is critical to maintaining a functional business. Keeping Basic Authentication leaves your business vulnerable to malicious attacks due to weaker security features. Disabling Basic Authentication and setting up users with Modern Authentication should be a top security priority. With the retirement of most Basic Authentication security features close at hand, now is the best time to assess your applications and plan for any upgrades. Delaying changes could cost your business time, money, or critical data due to disrupted services or compromised security. Plan upgrades to your applications and authentication services now. It is better to be ahead of the pack than lagging behind and becoming easy prey for hackers.