Wednesday, September 25, 2019

Basic Authentication being Disabled in Exchange Online

On the 13th of October 2020, Microsoft announced they are turning of Basic Authentication across all protocols in Exchange Online apart from SMTP.  Basic Authentication will be turned of on all web services on 13th of October 2020 including POP and IMAP.  This was published here:

https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Improving-Security-Together/ba-p/805892

Microsoft are pushing people to use Modern Authentication (OAUTH2) which provides numerous advantages over basic authentication.  Basic Authentication is secure provided it is encrypted with TLS and has been used since Exchange 5.5 and is still heavily used now even in Exchange Sever 2019, however there are more secure ways which provide support for additional security such as Multi Factor Authentication (MFA).

I have issues with this announcement - many customers that have enterprise applications which connect to Exchange via basic authentication using POP or IMAP4 over TLS - and this is the only connectivity option these applications support.

Microsoft say in the announcement that they know this will cause potential disruption but they want to force companies to adopt the new authentication technology.  I have many customers with help desk ticketing systems, ERP solutions, document management, life-cycle management system etc that only support basic authentication.  Not to mention, as of 26/09/2019 Microsoft still doesn't even support Modern Authentication on POP or IMAP (commonly used for applications to connect) and say in their article "we are planning on adding OAuth Support to both POP and IMAP in next few months".  Great - gives application vendors lots of time to prepare!

The benefit of Exchange Server on-premises is you can control your own destiny and if you have applications you have invested 10 million+ into developing or rolling out, you wont expect that your cloud vendor will suddenly flick a switch and cause your application to stop functioning correctly.

If your using Basic Authentication in O365 - and I know many of you reading this article would be in some extent (most likely mobile phones) - make sure you address this, install the Outlook for Mobile application, upgrade your enterprise applications to ensure your ready for this significant change.