With a holiday break upon us, Microsoft is again warning Exchange customers of deprecation of basic authentication in Exchange, which will take place early in the new year once employees come back from a long break.
The Redmond, Wash.-based IT giant has been warning customers of this move for awhile, and the time has finally come, as Microsoft will permanently turn off basic auth for multiple protocols for many Exchange Online tenants.
In fact, Microsoft says in a Tech Community blog that it has “taken more than three years” for this to finally come to fruition.
Early next month, Microsoft will be sending messages via Message Center to affected tenants about a week before the configuration change is made to permanently disable Basic auth for protocols in scope. Those protocols include MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS) and Remote PowerShell.
However, the company will not be disabling or changing any settings for SMTP AUTH, but Microsoft suggests that organizations do that themselves.
Once basic auth is permanently disabled, any clients or apps connecting using basic auth to one of the affected protocols will get a bad username/password/HTTP 401 error. The only way to fix that error is to update the client or app or use a different client or app that supports modern authentication.
Microsoft has issued blogs and other messaging about the move this year, including one post in which the company said password spraying attacks are becoming more frequent. These attacks are hard to detect since the username being used keeps changing and accounts don’t get locked, Microsoft says.
Microsoft also warns that customers using Set-CASMailbox to block protocols thinking that this will block basic auth too, will inadvertently blocks the use of a protocol entirely, including OAuth. In addition, CASMailbox settings block at the final stage of the client’s journey to get to mailbox data, forcing the user to authenticate and pass through Azure Conditional Access in order to even be evaluated for their per-protocol, CASMailbox setting.
Read Microsoft’s official documentation for more information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply