Microsoft to disable old school authentication for Exchange Online

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

Microsoft has announced it will begin disabling HTTP-based authentication scheme Basic Authentication.

The move will impact random tenants using Exchange Online worldwide from October 1, 2022.

The move to axe the old school authentication procedure, which dates back to the early 90s, was announced in September 2021, after being initially pushed back due to the pandemic.

What is Basic Authentication?

Basic Authentication is a method which allows a HTTP user agent, for example a web browser, to provide a username and password when making a request.

Microsoft says there will be no way to request an exception after October 2022.

However, Basic Authentication can be disabled at the time of the user’s choosing via using Microsoft’s Authentication Policies. 

What should users do?

Microsoft’s documentation page lists some of the most commonly encountered issues among users and what can be done to switch from basic to Modern Authentication.

This advice includes ensuring that email service Outlook for Windows is fully up to date, and has the right registry keys in place and most importantly according to Microsoft – that the tenant-wide switch to enable is set to “True”.

Microsoft reiterated that the “absolute best way” to disable Basic Authentication is to use its Authentication Policies feature.

Microsoft warned users not to use Set-CASMailbox or Conditional Access, as these are both post-authentication and though these prevent access to the data, they don’t stop the authentication access.

Microsoft did not specifically call out the reasons for the attempt to improve its ID management, however it did say that Basic Authentication “is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing”.

“We’ve disabled Basic Authentication in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Authentication enabled, you are at risk from attack.”

The news follows recent findings from cybersecurity firm Guardicore that revealed a design flaw in an integral feature of the Microsoft Exchange email server can be abused to harvest Windows domain and app credentials.

The report said that the issue exists in the Microsoft Autodiscover protocol, which helps email clients discover Exchange email servers in order to receive proper configurations. 

Email remains an extremely common endpoint which allows organizations to get exposed to cybercriminals, and Microsoft has been active in terms of adding to its email security offerings.

The company recently has added a new security layer to its Office 365 email service as it looks to improve the integrity of incoming and outgoing messages.

The company says the new protection, SMTP MTA Strict Transport Security (MTA-STS), a feature it first announced in H2 2020, solves problems such as expired TLS certificates, problems with third-party certificates, or unsupported secure protocols.

Will McCurdy has been writing about technology for over five years. He has a wide range of specialities including cybersecurity, fintech, cryptocurrencies, blockchain, cloud computing, payments, artificial intelligence, retail technology, and venture capital investment. He has previously written for AltFi, FStech, Retail Systems, and National Technology News and is an experienced podcast and webinar host, as well as an avid long-form feature writer.