Basic authentication in Exchange won’t pass the winter of 2022: This feature allowed users to connect to Exchange servers using a simple username/password pair. Being vulnerable, Microsoft had announced its intention to remove support for this feature in the second half of 2021. This first date was nevertheless postponed due to the Covid19 pandemic, which prompted Microsoft to review its schedule: the editor had announced in February. This inaction will be put on hold to make life easier for system administrators during the 2021 pandemic. The publisher nevertheless began deactivating support for the feature with some customers who had not used Basic Authentication since June.
But eventually, Microsoft wants to disable Basic Authentication for all Exchange Online users. In a blog post, Microsoft set a new date for this change: it will take effect from October 2022. From that date, it will no longer be possible to use Basic Authentication to connect to Exchange Online, and users will need to switch to Moderna. Authentication, another feature that supports more advanced authentication technologies such as multi-factor authentication, smart cards, certificate-based authentication, or third-party identity providers. Modern authentication is enabled by default for many Exchange Online users, but this is not the case for users who purchased an Exchange Online plan prior to 2017.
no more time to wait
Microsoft states that the purpose of this deactivation of the authentication protocol is to strengthen user security by blocking support for devices now considered obsolete. In its blog post on the announcement, Microsoft states that “Basic Authentication is an outdated standard, and the threats posed by Basic Authentication have only increased since we first announced this change. . (…) We take you seriously, and our ultimate goal is to turn off Basic Authentication for all of our customers. But every day, with Basic Authentication enabled for your users, your data is at risk, so your role is to protect your customers and applications. Do away with Basic Authentication, move them to stronger and better alternatives”
The “threats posed by Basic Authentication” have recently come to the fore after the Guardicore company discovered unexpected behavior in the Exchange authentication protocol. The bug discovered by the researchers enabled them to recover pairs of usernames and passwords from users who tried to connect through a basic authentication mechanism by exploiting fake domain names. Researchers also uncovered a vulnerability that forced users to log in using Basic Authentication, which lacked encryption for data in transit.
Prone to fits of apathy. Music specialist. Extreme food enthusiast. Amateur problem solver.