Microsoft 365 basic authentication switch off

It’s been planned for the last couple of years, now Microsoft is finally disabling basic authentication for its clients.

The switch, originally postponed from October 2020, is due to be carried out imminently – and will improve security significantly for Office 365 users.

From October 1st, Microsoft will start turning off basic authentication at random until all basic authentication is terminated by the end of the year.

We expect all outdated email clients and integrations to stop working when the switch happens. So, it is time to consider what might be affected and take action.

What is basic authentication?

Basic authentication enables users to connect using only their password and a username (as opposed to systems like Multi Factor Authentication (MFA) which require an extra action be taken in order to login). The username & password pairs are usually stored locally on the device and are sent with every request.

What uses basic authentication?

Microsoft will disable Basic Auth for the MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell protocols.

So, for example, if you have an Apple device and use the Apple Mail app to connect to your Exchange Online mailbox, that could use basic authentication. Especially if you have copied an old device’s configuration to a new device, the old configuration might specify basic authentication.

Devices like these will not be able to connect to Exchange Online after Microsoft blocks basic authentication. Modern authentication for Apple Mail can be enabled; however, you must specify the configuration of the connection.

Why is it getting turned off?

Basic authentication leaves users vulnerable to attacks and is outdated industry practice. The fact that applications store these credentials on the device and send them along with every request increases the risk of a breach, with attackers being able to steal credentials through password spray attacks or brute force.

Threats posed by basic authentication have increased since Microsoft originally announced their plans to turn it off. There are more secure and effective user authentication alternatives that been developed, like Modern Authentication, which relies on both authentication and authorisation methods when logging in.

How do I know if I’m still using Basic Authentication?

The team at razorblue have built a suite of tools that we’ve used to proactively identity users of basic authentication in our client base and have contacted them in advance.

If your Managed Service Provider hasn’t done this for you, you can do it yourself by inspecting Azure AD logs and looking for basic authentication attempts.

What does this mean?

Like we mentioned before, it does not mean that on October 1st basic authentication will stop immediately. It means that Microsoft will begin the process of termination. This is a large-scale task, and it will take them a few months to carry out, but as of October 1st, companies that have not switched to using Modern Authentication methods are risking losing access at any time when using incompatible services at any time.

This switch off was only a matter of time, basic authentication is an insecure method of logging in and has long been outdated. We are ahead of the curve and have already been reaching out to many of our client base this will be affecting. If you are a customer of ours and would like support, then contact your account manager.