Microsoft disabling Basic authentication in October 2022 – What to know and how to be ready

As of 1 October 2022, Microsoft will be disabling Basic authentication on customer Azure tenants.

The removal of Basic authentication will be progressively rolled out across random tenants from this date onwards. Unfortunately, there’s no way to identify when a particular tenant will be updated.

Any customers using Basic authentication to connect applications or services to Exchange Online will be affected by this change. If you haven’t updated your applications to Modern authentication, they will fail to connect once Basic authentication is removed from the tenant.

Microsoft is recommending that customers using Basic authentication switch to Modern authentication (aka. OAuth 2.0) as soon as possible to avoid any outages when the switch-over happens.

This blog will give you an overview of what Basic authentication is, where you are likely to be using it, and how to mitigate connection issues by migrating to Modern authentication.

What is Basic authentication?

Basic authentication, also called proxy authentication, is an HTTP(S)-based authentication mechanism that applications use to send stored credentials in Base64 format to servers, endpoints, or online services. Base64 is a data encoding scheme, not an encryption scheme, and can be simply reversed to reveal the supplied credentials.

Due to the lack of security in Base64 encoding, attackers can capture the transmitted credentials via MitM (man-in-the-middle) type attacks or guess them using common techniques such as dictionary-based password attacks.

As the credentials used for Basic authentication are stored and used directly by the requesting applications, attackers can steal these credentials using various tactics, such as social engineering or malware injection.

Why is Microsoft disabling Basic authentication?

Basic authentication was defined formally back in 2015 and since then has been adopted as one of the Internet’s most widely used authentication schemes due to its simplicity.

It can be used to secure access to any resource that is accessible over HTTP(S). Its popularity, combined with a lack of proper encryption or security, has made it a frequent target for attackers who wish to gain access to secured resources.

These days, there are better and more effective ways to authenticate users. Microsoft have been promoting alternative authentication and authorisation methods under the group terminology of Modern authentication.

Microsoft’s Modern authentication encompasses, but is not limited to, multi-factor authentication (MFA), Client Certification Authentication, plus their own implementation of the standard Open Authentication protocol (OAuth).

When will Basic authentication be disabled?

Microsoft starts disabling Basic authentication across random tenants from 1 October 2022. This random approach will continue until all tenants have had Basic authentication disabled.

Additionally, any tenant not currently using SMTP AUTH-based authentication will have this option disabled. Tenants currently using SMTP AUTH-based authentication (for example, via systems or mail servers sending automated emails into Exchange Online via SMTP) will not be affected.

What will it affect?

The disabling of Basic authentication in Exchange Online will affect the following Exchange Online services:

• Microsoft Outlook
• Exchange Web Services (EWS)
• Remote PowerShell for Exchange (RPS)
• Post Office Protocol for Exchange (POP)
• Internet Message Access Protocol for Exchange (IMAP)
• Exchange ActiveSync Service (EAS)

If your solution contains any applications, services, or scripts that connect to these services using Basic authentication they will need to be updated to support Modern authentication before 1 October 2022.

What do I need to do about it?

The first thing we would recommend is to run a discovery exercise to identify affected (and potentially affected) areas.

If you’re using Microsoft Identity Manager (MIM), you’ll need to update the MIM Portal to use Application Based Authentication. Any post-processing scripts using Basic authentication will also need to be updated.

Important: We wouldn’t recommend attempting to update the MIM Portal and post-processor scripts yourself, as there are potential dangers that could result in a complete re-install of the Portal. Please get in touch with us if this is something you need support with.

Once you’ve tested the updates and everything is working as it should, you can then begin user acceptance testing (UAT) and migrate the changes into production.

Key Takeaways

Like this? Don’t forget to share.