According to the US Cybersecurity and Infrastructure Security Agency, it’s finally time for companies using Exchange Online to switch from basic authentication to modern authentication before Microsoft shuts down the former on October 1, 2022.
One of the main features that Basic Authentication or “Basic Auth” doesn’t support is multi-factor authentication (MFA), one of the best defenses against identity and password attacks.
CISA’s other reason for federal civilian agencies to immediately switch to Modern Auth is that MFA is a requirement under Biden’s cybersecurity decree 14028 of May 2021requiring agencies to implement MFA.
CISA is urging all organizations to make the switch before October 1, the day Microsoft will begin disabling Basic Auth tenant per tenant around the world. “CISA urges all organizations to transition to Modern Auth and by October 1 Enable MFA† CISA Notes†
Once Basic Auth is disabled on a tenant, all clients still using Basic Auth — ranging from Outlook to PowerShell scripts and apps connected to Exchange ActiveSync — won’t be able to connect, Microsoft said.
Non-governmental organizations can benefit from: Also the free guidance of CISA†
Microsoft has been urging all organizations to move to Modern Auth for over a year now. Originally it was planned to switch off Basic Auth in the second half of 2021, but in February 2021 delayed this plan due to the pandemic and eventually set a deadline for October 2022.
Modern authentication is useful for security. Microsoft said in January that most customers with Modern Auth enabled were not affected by a particularly cunning phishing attack while all customers with basic authentication were affected†
Microsoft’s Exchange Online team warned in a blog post in May, who recommends reading that there are still many Exchange Online customers using Basic Auth. It also explained that starting October 1, it will disable Basic Auth for specific protocols in Exchange Online for those customers who are still using it.
It doesn’t disable Basic Auth for everyone at once, but randomly selects tenants, sends a 7-day warning, and then disables it. But there is no way for customers to request an exception to the timing of the shutdown after October, Microsoft warned.
“On October 1, 2022, we will be disabling Basic Authentication in our global multi-tenant service. get started on October 1; this is not the date we turn it off everybody† We’ll randomly select tenants, send Notification Center messages with 7-day alerts (and post Service Health Dashboard notifications), then disable Basic Authentication in the tenant. We expect to complete this by the end of this year. So you should be ready by October 1, the Exchange Online team said.
“We disable Basic Auth for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.
“We’re not disabling SMTP AUTH. We’ve disabled SMTP AUTH for millions of tenants that don’t use it, but if SMTP AUTH is enabled in your tenant, it’s because we see it’s usage and so don’t do anything about it. We do to advise you disable it at the tenant level and re-enable it only for those user accounts that still need it.
“Any client (user app, script, integration, etc.) using Basic Auth for any of the affected protocols cannot connect. The app receives an HTTP 401 error: bad username or password. Any app that uses Modern Auth for the same protocols will not be affected,” it clarifies.
CISAs guideline for disabling Basic Auth highlights several reasons Microsoft gave for moving to Modern Auth:
Over 99% of password spray attacks use outdated authentication protocols
Over 97% of Credential Filling Attacks Use Legacy Authentication
Every second there are 921 password attacks – almost doubling in frequency in the last 12 months
Azure AD accounts in organizations that have legacy authentication experience disabled 67% fewer compromises than those where legacy authentication is enabled
In February, Microsoft warned that only 22% of customers using Azure Active Directory (AAD) had implemented “strong identity authentication” as of December 2021. It was previously said that 99% of compromised Microsoft accounts did not have MFA enabled†
Microsoft in May started a big push to get all Azure AD customers to adopt modern authentication by rolling out “security standards”, targeting smaller customers to ensure they have basic security hygiene, especially MFA, regardless of the license they had.