Blog | 10-minute Read
Microsoft disabling Basic authentication in October 2022 – What to know and how to be ready
Steven Connelly
Head of Enterprise Identity
Published: 29 July 2022
From October 2022, Microsoft will begin to permanently disable Basic authentication in all tenants, regardless of usage. Here’s what you need to know to be ready for the change.
As of 1 October 2022, Microsoft will be disabling Basic authentication on customer Azure tenants.
The removal of Basic authentication will be progressively rolled out across random tenants from this date onwards. Unfortunately, there’s no way to identify when a particular tenant will be updated.
Any customers using Basic authentication to connect applications or services to Exchange Online will be affected by this change. If you haven’t updated your applications to Modern authentication, they will fail to connect once Basic authentication is removed from the tenant.
Microsoft is recommending that customers using Basic authentication switch to Modern authentication (aka. OAuth 2.0) as soon as possible to avoid any outages when the switch-over happens.
This blog will give you an overview of what Basic authentication is, where you are likely to be using it, and how to mitigate connection issues by migrating to Modern authentication.
Sign up for great content and exclusive invites
Join the Kocho mailing list for latest news, best practice, and educational resources.
What is Basic authentication?
Basic authentication, also called proxy authentication, is an HTTP(S)-based authentication mechanism that applications use to send stored credentials in Base64 format to servers, endpoints, or online services. Base64 is a data encoding scheme, not an encryption scheme, and can be simply reversed to reveal the supplied credentials.
Due to the lack of security in Base64 encoding, attackers can capture the transmitted credentials via MitM (man-in-the-middle) type attacks or guess them using common techniques such as dictionary-based password attacks.
As the credentials used for Basic authentication are stored and used directly by the requesting applications, attackers can steal these credentials using various tactics, such as social engineering or malware injection.
Why is Microsoft disabling Basic authentication?
Basic authentication was defined formally back in 2015 and since then has been adopted as one of the Internet’s most widely used authentication schemes due to its simplicity.
It can be used to secure access to any resource that is accessible over HTTP(S). Its popularity, combined with a lack of proper encryption or security, has made it a frequent target for attackers who wish to gain access to secured resources.
These days, there are better and more effective ways to authenticate users. Microsoft have been promoting alternative authentication and authorisation methods under the group terminology of Modern authentication.
Microsoft’s Modern authentication encompasses, but is not limited to, multi-factor authentication (MFA), Client Certification Authentication, plus their own implementation of the standard Open Authentication protocol (OAuth).
When will Basic authentication be disabled?
Microsoft starts disabling Basic authentication across random tenants from 1 October 2022. This random approach will continue until all tenants have had Basic authentication disabled.
Additionally, any tenant not currently using SMTP AUTH-based authentication will have this option disabled. Tenants currently using SMTP AUTH-based authentication (for example, via systems or mail servers sending automated emails into Exchange Online via SMTP) will not be affected.
What will it affect?
The disabling of Basic authentication in Exchange Online will affect the following Exchange Online services:
- Microsoft Outlook
- Exchange Web Services (EWS)
- Remote PowerShell for Exchange (RPS)
- Post Office Protocol for Exchange (POP)
- Internet Message Access Protocol for Exchange (IMAP)
- Exchange ActiveSync Service (EAS)
If your solution contains any applications, services, or scripts that connect to these services using Basic authentication they will need to be updated to support Modern authentication before 1 October 2022.
What do I need to do about it?
The first thing we would recommend is to run a discovery exercise to identify affected (and potentially affected) areas.
If you’re using Microsoft Identity Manager (MIM), you’ll need to update the MIM Portal to use Application Based Authentication. Any post-processing scripts using Basic authentication will also need to be updated.
Important: We wouldn’t recommend attempting to update the MIM Portal and post-processor scripts yourself, as there are potential dangers that could result in a complete re-install of the Portal. Please get in touch with us if this is something you need support with.
Once you’ve tested the updates and everything is working as it should, you can then begin user acceptance testing (UAT) and migrate the changes into production.
Sign up for great content and exclusive invites
Subscribe to the Kocho mailing list if you want to receive:
- The latest Microsoft tech insights
- Demos and exclusive event invites
Key Takeaways
Microsoft will be disabling Basic authentication in Azure from 1 October 2022.
This change will affect ALL customers using Azure.
Tenants using Basic authentication will be targeted at random from October – so you’ll need to be ready by that date.
You need to migrate all applications and scripts to Modern authentication as soon as possible.
Failure to migrate will result in a loss of connectivity to key apps and services.
Like this? Don’t forget to share.
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Don't Miss
Great security & compliance resources
Got a question? Need more information?
Our expert team is here to help.