Ask A Tech Microsoft Ends Support For Basic Authentication

Ask a Tech: Microsoft to End Support for Basic Authentication

Arraya Insights | April 16, 2020

Microsoft Basic Authentication passwords

As part of the company’s ongoing efforts to boost security throughout its solution portfolio, Microsoft has announced that, during the second half of 2021, it will pull the plug on basic authentication in Exchange Online. From that point on, applications and user identities must be validated via – what else? – modern authentication.

We checked in with our Workspace Team to learn more about basic authentication, modern authentication and the transition from one to the next. Here’s what they shared:

Arraya Insights: What’s the difference between basic and modern authentication?

Workspace Team: Not to get overly technical, but one is modern and the other one is not. Basic authentication uses only usernames and passwords to verify the legitimacy of actions taken on an application. As such, basic authentication is vulnerable should users have their credentials stolen. It’s also challenging to supplement basic authentication with greater security through multifactor authentication (MFA). Essentially, all of the things that keep security pros up at night. Modern authentication solves this by adding another layer of verification into the mix, incorporating OAuth tokens to ensure the person is who he or she claims to be.  

AI: What will (and won’t) be affected by this change?

WT: Specially, end of support for basic authentication will impact utilities like Exchange Web Services (including Outlook for Windows and Outlook for Mac), Exchange Online ActiveSync (EAS) as well as POP and IMAP connections. Admins take note: This change will also affect Remote PowerShell. It is worth singling out one thing in particular that will explicitly not be affected: SMTP Auth. At least, that is, it won’t be affected for the time being. Microsoft’s reasoning for exempting SMTP is straightforward enough: It would be too disruptive. Vast numbers of devices count on SMTP to send emails. Taking that out of the equation would, in turn, change this from a topic for a single blog post to a series.    

AI: Are all versions of Outlook for Windows and Outlook for Mac affected?

WT: Unless your organization is using an older or out-of-date version of either solution, you’re likely going to be OK on this front. Outlook for Windows began supporting modern authentication with its Outlook 2013 release, although it needed a registry key to activate. Outlook 2016 had support for modern authentication enabled by default. Outlook for Mac has also supported modern authentication since its 2016 edition. 

AI: What about my devices that rely on POP and IMAP? 

WT: If your POP or IMAP-synced devices can be updated to support modern authentication, then don’t worry. You’re in the clear and they should continue to function as expected once you make that changeover. POP or IMAP devices set to poll for emails and that can’t, for whatever reason, be updated will run into issues. Organizations with anything fitting that bill will want to make sure they’ve addressed it long before that point to avoid any service interruption.      

AI: How can I figure out the size of my basic authentication footprint?

WT: One way to see everything in your tenant still leveraging basic authentication is to use the Azure AD Sign-In Report. Microsoft recently added the ability to track authentication method to this report. If you’re unfamiliar, this tool can be found in a side menu in the Azure AD admin center under the designation: Sign Ins. In its default state, this report tracks sign-ins, dates, times, IP addresses, however it can be enhanced to include client app. You can then apply filters to the list to pare it down until only connections taking place through basic authentication remain. It’s also possible to root out basic authentication in Outlook by way of looking at the dialogue box that pops up, as demonstrated HERE by Microsoft. You can also hold CTRL and right click the Outlook tray icon and from there choose Connection Status. In the window that opens, any connection labeled “Bearer” uses modern authentication while those marked “Clear” use basic.

AI: What does this mean for PowerShell?

WT: In a recent blog post on the subject, Microsoft committed to supporting “non-interactive scripts” by way of Remote PowerShell and certificate-based authentication. This project, however, is ongoing and will likely remain so for the next several months. In the meantime, the company pointed admins-in-need toward PowerShell V2 Module as well as Azure Cloud Shell.   

Next Steps: Get reading for basic authentication end of support

Need help prepping your environment for basic authentication hits end of support? Arraya can help. Our team of workspace experts will help you track down and resolve any possible sticking points so that your organization won’t have to worry about any interruptions. Visit https://www.arrayasolutions.com/contact-us/ to start a conversation with our team now.

We want to hear your take! Leave us a comment on this or any of our blog posts by way of social media. Arraya can be found on LinkedInTwitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and unique IT learning opportunities.