Arraya Insights | October 12, 2021
Microsoft has announced that they’ll be turning off Basic Authentication permanently, as of October 1, 2022. This will be turned off for all protocols in all tenants for Exchange Online. Your Exchange account hosts your work emails, contacts, and calendar.
Basic authentication (also known as proxy authentication) requires only a username and a password for client access requests. The username and password are often stored locally on the device.
While this authentication model was previously the industry standard, it’s now outdated and can pose a significant security risk for those still using it. Attackers can easily steal these credentials when connections are not secured.
Many users who transitioned from on premises to the cloud have continued to use basic authentication. Microsoft is removing this as an option, so all users are forced to use modern authentication, a more secure method.
Users should begin transitioning to modern authentication if they haven’t already done so.
What is Modern Authentication?
Modern authentication is a more secure method of identity management.
Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with.
- Authentication methods: Multi-factor authentication (MFA); smart card authentication; client certificate-based authentication
- Authorization methods: Microsoft’s implementation of Open Authorization (OAuth)
- Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access
Microsoft is disabling basic authorization to protect the millions of Microsoft Exchange online users. Requiring MFA significantly improves the security of data in your tenant.
Before You Block Basic Authentication, Complete the Following Steps:
- Verify that modern authentication is enabled in your Exchange Online organization (it’s enabled by default)
- Verify that your email clients and apps support modern authentication and verify that your Outlook desktop clients are running the minimum required cumulative updates
- Connect to Exchange Online PowerShell
Disabling Basic Authentication in Exchange Online
You can block Basic Authentication in Exchange online by creating and assigning authentication policies to individual users. You’ll need to create and assign auth policies to individual users to disable Basic Authorization in Exchange Online.
- Create the authentication policy
Note that you can’t change the name of the policy after you create it.
- Assign the authentication policy to users
This can be done through individual user accounts, through filtering user accounts by attributes, using a list of specific user accounts, or by filtering on-premises Active Directory user accounts that are synchronized to Exchange Online.
- Wait 24 hours for the policy to be applied to users, or force the policy to be immediately applied
By default, the changes take effect within 24 hours, but by using the following syntax, you can force the policy to take effect within 30 minutes:
Set-User -Identity <UserIdentity> -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)
Next Steps: Begin the Transition from Basic to Modern Authorization
Active Directory Federation Services (ADFS) will be affected through this transition. Those still using ADFS will need to migrate to Azure authentication. If you’re still using ADFS, we can help you with the process of migrating to Azure Active Directory (AD).
The longer you rely on basic authorization, the more you’re putting your business at risk. Contact an Arraya expert today to begin the transition to modern authentication.
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team now.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.