Microsoft is disabling basic authentication in random tenants worldwide starting October 1, 2022.
Since the announcement in September 2019, there have been multiple reminders and warnings from Microsoft about the move from Basic to Modern Authentication. Millions of tenants have already disabled basic authentication to protect themselves, but millions of others have not made the change.
Starting in October 2022, Microsoft will begin randomly selecting tenants and disabling their Basic Authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS) and Remote PowerShell. The move exists to protect their information from cyber attackers exploiting the insecure auth scheme.
Microsoft will announce the rollout seven days before commencing, posting the message to the Windows Message Centre. Each tenant will be notified via the Service Health Dashboard notifications when basic auth is disabled.
Although the rollout will disable basic authentication from October 2022, it can be temporarily re-enabled until December 2022. Re-enabling basic authentication will allow anyone who did not prepare for the change to do so before it is permanently disabled in January 2023.
Why is Microsoft disabling basic authentication?
The goal of disabling basic authentication is to improve data security as the number of cyberattacks that leverage basic auth increases.
Basic authentication or legacy authentication is an HTTP-based scheme that applications use for sending credentials in plain text to servers, endpoints or various online services.
Unfortunately, this allows cybercriminals to steal your credentials in middleman attacks over TLS and brute force attacks. they can steal text credentials from apps using basic auth via several tactics, including social engineering and info-stealing malware.
Modern authentication methods include a variety of different techniques that are all designed for increased security. Microsoft’s implementation of Open Authorization (OAuth), allows users to grant limited access rights from their mobile device without having traditional accounts on various platforms like Facebook or Google+.
OAuth access tokens can only be used to authenticate resources they are issued for.
Will this affect you?
- Microsoft Outlook on the Web
- Microsoft Outlook for PC & Mac
- Microsoft Outlook Mobile App
- Mac Mail and Calendar App (10.13 High Sierra and older)
- Most IMAP/POP Mail clients e.g. Thunderbird, Eudora
- Android Mail
- Apple iOS Mail app (iOS 10 and older)
- Microsoft Office 2014 or prior
How to be prepared for this change and avoid disruptions
- Administrators can disable basic authentication and allow users to use modern authentication through authentication policies. A new Authentication policy can be created and assigned to users.
- Disable Basic authentication in Exchange Online and use Windows-based Outlook clients that support modern authentication.
- Update Outlook for Windows, with the correct registry keys in place and the tenant-wide switch, is set to True (without that setting, Outlook won’t use Modern auth).
- Implementing IMAP.AccessAsApp and POP.AccessAsApp permissions if you require POP/IMAP for interactive apps.
- Use Modern Authentication in Microsoft Teams Rooms
- Using modern auth to run PowerShell scripts
If you experience any difficulties with your Microsoft apps or need assistance changing to Modern Authentication, Key Tech can help! Call 1300 755 615 or send us a message: