{"id":170902,"date":"2022-05-05T12:22:29","date_gmt":"2022-05-05T17:22:29","guid":{"rendered":"https:\/\/itblog.ldlnet.net\/?p=170902"},"modified":"2022-05-05T12:33:36","modified_gmt":"2022-05-05T17:33:36","slug":"basic-authentication-deprecation-in-exchange-online-may-2022-update","status":"publish","type":"post","link":"https:\/\/itblog.ldlnet.net\/index.php\/2022\/05\/05\/basic-authentication-deprecation-in-exchange-online-may-2022-update\/","title":{"rendered":"Basic Authentication Deprecation in Exchange Online \u2013 May 2022 Update"},"content":{"rendered":"\n
\"The_Exchange_Team\"<\/a><\/figure>\n\n\n\n

I wanted to forward this article to everyone for review. This article could not come at a better time with the transition of Exchange on premises to Exchange Online ongoing along with the updating of general security protocols for Microsoft’s IaaS and SaaS Services. In about 150 days from today, Microsoft is going to start to turn off Basic Auth for specific protocols in Exchange Online for those customers still using it.<\/p>\n\n\n\n

Since we announced the October 1, 2022 deadline last year<\/a> MS has seen great progress from customers and partners as they move their clients and apps from basic to Modern Authentication. Since there are a lot of customers still using Basic Auth, we wanted to re-state the scope and implications of this change, and to answer some of the common questions we get.<\/p>\n\n\n\n

As a reminder, Basic Auth is still one of, if not the<\/em> most common ways our customers get compromised, and these types of attacks are increasing<\/em>.<\/p>\n\n\n\n

We\u2019ve disabled Basic Auth in millions<\/em> of tenants that weren\u2019t using it, and we\u2019re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.<\/p>\n\n\n\n

Timeline and Scope<\/h3>\n\n\n\n

As we communicated last year in blog posts<\/a> and Message Center posts, we will start to turn off Basic Authentication in our worldwide multi-tenant service on October 1, 2022. To be clear, we will start<\/em> on October 1; <\/sup>this is not the date we turn it off for everyone<\/em>. We will randomly select tenants, send 7-day warning Message Center posts (and post Service Health Dashboard notices), then we will turn off Basic Auth in the tenant. We expect to complete this by the end of this year. You should therefore be ready by October 1.<\/p>\n\n\n\n

We\u2019re turning off Basic Auth for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, and Remote PowerShell.<\/p>\n\n\n\n

We are not turning off SMTP AUTH. We have turned off SMTP AUTH for millions of tenants not using it, but if SMTP AUTH is enabled in your tenant, it\u2019s because we see usage and so we won\u2019t touch it. We do recommend<\/a> you disable it at the tenant level and re-enable it only for those user accounts that still need it.<\/p>\n\n\n\n

Exceptions and Per-Tenant Timing<\/h3>\n\n\n\n

There is no way to request an exception after October<\/u><\/strong>. Tenant selection is random, and we cannot put your tenant to the back of the queue to give you more time or change your settings on any specific date. If you want Basic Auth to be disabled at a time of your choosing (either now, or as soon as you are ready), use Authentication Policies. More info on that below.<\/p>\n\n\n\n

What should I do to prepare for this change?<\/h4>\n\n\n\n

Any client (user app, script, integration, etc.) using Basic Auth for one of the affected protocols will be unable to connect. The app will receive an HTTP 401 error: bad username or password<\/em>.<\/p>\n\n\n\n

Any app using Modern Auth for these same protocols will be unaffected.<\/p>\n\n\n\n

Our documentation page lists some of the common apps and what can be done to switch them from basic to Modern Auth, but based on calls with customers of all sizes, here are some common themes:<\/p>\n\n\n\n

  1. If you have Outlook for Windows, make sure it\u2019s up to date, has the right registry keys in place<\/a> and most importantly \u2013 that the tenant-wide switch to enable is set to True! Without that setting Outlook for Windows won\u2019t use Modern Auth. So, turn it on<\/a>. If clients are already logged in to another Microsoft 365 app, such as Teams, they are already authenticated and so it\u2019s very likely they will not see any kind of auth prompt. We are turning this setting on<\/em> for customers as we disable Basic Auth for MAPI\/RPC in the tenant, but not before. We want to make sure Outlook can connect using Modern Auth once Basic Auth is disabled. Outlook doesn\u2019t support OAuth with POP and IMAP \u2013 if you want to use POP and IMAP, with a client app, you\u2019ll need another app.<\/li>
  2. POP\/IMAP \u2013 we have several customers using these protocols for application access. POP and IMAP both support OAuth<\/a> for interactive applications, and we\u2019re rolling out support for non-interactive flows now. If you are a developer you\u2019ll know where to look, and if you do that right now you\u2019ll find the IMAP.AccessAsApp and POP.AccessAsApp permissions. We\u2019ll have some guidance on how to use them very soon, so watch out for that.<\/li>
  3. EWS apps \u2013 we also have several customers with apps that use EWS and Basic Auth. EWS supports app-only access and you can use Application Access Policies<\/a> to control what an app can access \u2013 if you have apps using EWS with Basic Auth, you need to either modify the code, or get the app owner to do so. Many partner apps have support for Modern Auth, you just need to modify your configuration or update to the latest versions. Do it now!<\/li>
  4. ActiveSync \u2013 all the native apps on up-to-date clients support Modern Auth, but many users devices are still using Basic Auth. If you use an MDM\/MAM solution, use it to deploy new profiles. Here\u2019s<\/a> how you can use Intune to set the auth mechanism for iPhone and iPad, for example. If you don\u2019t have an MDM, simply remove and re-add the account from the device and it should automatically switch to Modern Auth.<\/li>
  5. PowerShell scripts \u2013 If you have scripts you need to run, follow this<\/a> guide to use Modern Auth in your scripts.<\/li>
  6. Reporting Web Services \u2013 the support for OAuth is rolling out now (to be completed by end of May). Basic Auth will be disabled starting October 1.<\/li>
  7. Microsoft Teams Rooms \u2013 make sure they are using Modern Auth by following these<\/a> steps.<\/li><\/ol>\n\n\n\n

    How do you know you are still using Basic Auth? <\/h4>\n\n\n\n

    Azure AD sign-in events is the best place to look (filter by client app, then in the client app filter, check the boxes for the affected protocols under Legacy Authentication Clients). Check out this<\/a> post for more info.<\/p>\n\n\n\n

    We also send monthly Message Center posts to tenants using Basic Auth, summarizing their usage. We\u2019ve been doing this since October 2021. These are not as exact as Azure AD\u2019s reports; they are meant as an indicator<\/em> of usage, but if you get one, you should investigate what\u2019s causing it.<\/p>\n\n\n\n

    Sometimes, we are asked if we can send the list of users still using Basic Auth. Unfortunately, we cannot send you a list, because that information is only available inside<\/em> your tenant for privacy reasons. Of course, this information is available to admins in the Azure portal.<\/p>\n\n\n\n

    What\u2019s the Best Way to Disable Basic Auth Once I\u2019m Done?<\/h4>\n\n\n\n

    The absolute best way to disable Basic Auth is to use Authentication Policies to block Basic Auth. As this<\/a> article clearly<\/em> states, if you want to block<\/em> Basic Auth, use Auth Policies. Don\u2019t use Set-CASMailbox or Conditional Access, as those are both post<\/em>-authentication. They prevent access to the data, but they don\u2019t stop authentication.<\/p>\n\n\n\n

    You might notice that that we\u2019re not disabling Autodiscover at this time. That\u2019s something we\u2019ll do once the clients that depend on it are using Modern Auth, but it\u2019s also something you can do for yourself with Authentication Policies.<\/p>\n\n\n\n

    What If I Still Need Help?<\/h4>\n\n\n\n

    If you still need help, that\u2019s where our amazing network of partners<\/a>, MVPs<\/a>, community<\/a>, and Microsoft support<\/a> engineers come in. There\u2019s a huge amount of experience and knowledge to help you with this transition. So, ask questions, look for help, and most importantly \u2013 disable Basic Auth and get secure!<\/p>\n\n\n\n

    The Exchange Team<\/strong><\/em><\/p>\n\n\n\n

    STAY INFORMED! CHECK BACK OFTEN FOR UPDATES!<\/h2>\n\n\n\n

    REFERNECES:<\/em><\/strong>
    Basic Authentication Deprecation in Exchange Online \u2013 May 2022 Update – Microsoft Tech Community<\/a>
    Exchange Team Blog – Microsoft Tech Community<\/a>
    Enabling Modern Authentication for Outlook \u2013 How Hard Can It Be? \u2013 IT Blog (ldlnet.net)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    I wanted to forward this article to everyone for review. This article could not come at a better time with the transition<\/p>\n

    Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":877,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,265,194,266],"tags":[9,303,148],"class_list":["post-170902","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exchange","category-microsoft365","category-office365","category-security-and-compliance","tag-exchange","tag-exchange-online","tag-exchange-upgrade","odd"],"_links":{"self":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/170902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/comments?post=170902"}],"version-history":[{"count":4,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/170902\/revisions"}],"predecessor-version":[{"id":170950,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/170902\/revisions\/170950"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media\/877"}],"wp:attachment":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media?parent=170902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/categories?post=170902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/tags?post=170902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}