Having already announced and postponed the depreciation of the authentication method “Basic Authentication” for Exchange Online several times, Microsoft has now set the date on which it will be disabled: Microsoft will deactivate Basic Authentication for Exchange Online on October 1, 2022.
The fact that the method is no longer sufficiently secure is the reason for the deactivation. In the future, Microsoft will therefore switch to “Modern Authentication”, which provides better coverage of modern security requirements.
In this blog article, we would like to provide you with information about the new method that will provide increased security and ease of use in the future. We would also like to show you what to bear in mind for the change.
What is the issue with Basic Authentication?
Basic Authentication (Basic Auth), using a user name and a password, was commonly used for authentication with internet services.
The services had to store the access data, which are transmitted in a simple, coded header line for each query. Even with encrypted SSL pages, this led to countless opportunities for tapping into the data.
Basic Auth also has no option for restricting authorizations. This means that the access data allows users to access all associated applications and corporate data.
What is Modern Authentication?
Modern Authentication (Modern Auth) is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0, guaranteeing secure access to resources. The method uses tokens rather than relying on a user name and password. Login may still be done with user name and password (or with a certificate, for example), but these data are only used for authentication with an identity provider and are not revealed to the services themselves.
The identity provider then generates a token that contains specific information:
- The token regulates what a user can access, and what cannot be accessed, and the length of time for which access is possible. The token must be renewed after the validity expires.
- The token can also contain details such as the device or location, thereby enabling context-dependent authentication. This means that it is possible to define the situations in which access is possible, and which authentication procedure is to be applied. Cause Modern Auth also allows the realization of Single Sign-On as well as the option of enforcing the application of an additional factor during authentication (MFA). This is an important component of the Zero Trust approach.
- The token can also be used for login with applications that are linked to the Microsoft identity, allowing the same login identity to be used there.
Authentication takes place as follows for users: They are normally forwarded to the Authentication Endpoint (M365) using an integrated browser window (WebView), and must perform authentication there. M365 then decides whether and how access may be granted to the queried resources.
Who is affected by this change?
Customers using Microsoft Outlook for Mobile are not affected by the change, as the application alredy uses Modern Authentication as standard.
Customers using a different email application need to look into their authentication method, as Basic Authentication is currently used as standard in many applications. If you have not already changed this manually, it is likely that you will need to perform the change.
What do you need to bear in mind for the change?
No change of mail clients to Modern Authentication should take place without some advance planning, as each company has different security settings and requirements for authentication with Microsoft 365.
We strongly advise that you check the configuration steps required, to avoid subsequent problems during authentication. Additionally, depending on the mail client and the UEM system, there may also be different configuration options that need to be taken into account.
At the same time, the change is a good opportunity to implement further convenience functions – such as Single Sign-On mechanisms. This makes the use of the devices not only safer, but also simpler.
We are happy to provide you with advice for configuration and assist you in the change. This allows us to help you to increase your level of security, while taking ease of use into account. Please feel free to contact us.