It’s finally time for businesses running Exchange Online to switch from Basic Authentication to Modern Authentication before Microsoft disables the former on October 1, 2022, according to the US Cybersecurity and Infrastructure Security Agency.
One of the key features that Basic Authentication or “Basic Auth” doesn’t support is multi-factor authentication (MFA), which is one of the best protections against identity and password attacks.
CISA’s other reason for federal civilian agencies to switch to Modern Auth immediately is that MFA is a requirement under Biden’s cybersecurity executive order 14028 of May 2021, which requires agencies to implement MFA.
CISA urges all organizations to make the switch before October 1, which is the day Microsoft will start to switch off Basic Auth tenant by tenant across the world. “CISA urges all organizations to switch to Modern Auth before October 1 and enable MFA,” CISA notes.
Once Basic Auth is switched off at a tenant, any clients still using Basic Auth — ranging from Outlook to PowerShell scripts and apps connected to Exchange ActiveSync — will be unable to connect, according to Microsoft.
Non-government organizations can take advantage of CISA’s free guidance, too.
Microsoft has been urging all organizations to switch to Modern Auth for well over a year. It originally planned to disable Basic Auth in the second half of 2021, but in February 2021 delayed this plan due to the pandemic and eventually set a deadline for October 2022.
Modern Auth is useful for security. Microsoft said in January that most customers with Modern Auth enabled were not affected by a particularly crafty phishing attack whereas all customers with Basic Auth were affected.
Microsoft’s Exchange Online team in May warned in a blogpost, which CISA recommends reading, that there are still a lot of Exchange Online customers using Basic Auth. It also explained that, from October 1, it will start turning off Basic Auth for specific protocols in Exchange Online for those customers who still use it.
It won’t switch Basic Auth off for everyone at the same time but rather will randomly select tenants, send a 7-day warning, and then switch it off. But there is no way for customers to request an exception to the timing of the switch-off after October, Microsoft warned.
“We will start to turn off Basic Authentication in our worldwide multi-tenant service on October 1, 2022. To be clear, we will start on October 1; this is not the date we turn it off for everyone. We will randomly select tenants, send 7-day warning Message Center posts (and post Service Health Dashboard notices), then we will turn off Basic Auth in the tenant. We expect to complete this by the end of this year. You should therefore be ready by October 1,” the Exchange Online team said.
“We’re turning off Basic Auth for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.
“We are not turning off SMTP AUTH. We have turned off SMTP AUTH for millions of tenants not using it, but if SMTP AUTH is enabled in your tenant, it’s because we see usage and so we won’t touch it. We do recommend you disable it at the tenant level and re-enable it only for those user accounts that still need it.
“Any client (user app, script, integration, etc.) using Basic Auth for one of the affected protocols will be unable to connect. The app will receive an HTTP 401 error: bad username or password. Any app using Modern Auth for these same protocols will be unaffected,” it clarified.
CISA’s guideline for switching off Basic Auth highlights several reasons Microsoft has given for moving to Modern Auth:
More than 99% of password-spray attacks use legacy authentication protocols
More than 97% of credential-stuffing attacks use legacy authentication
There are 921 password attacks every second — nearly doubling in frequency over the past 12 months
Azure AD accounts in organizations that have disabled legacy authentication experience 67% fewer compromises than those where legacy authentication is enabled
In February, Microsoft warned that just 22% of customers that use Azure Active Directory (AAD) had implemented “strong identity authentication” as of December 2021. It’s previously said that 99% of compromised Microsoft accounts did not have MFA enabled.
Microsoft in May kicked off a major push to get all Azure AD customers to adopt Modern Auth by rolling out “security defaults”, which are aimed at smaller customers to ensure they have basic security hygiene, especially MFA, regardless of the license they had.