Modern Authentication vs Basic Authentication, SMTP AUTH

Get IT done with us…

  • Modern Authentication
  • Basic Authentication
  • SMTP Auth

Deprecation of Basic authentication in Exchange Online

In September 2021, The Microsoft announced that effective October 1, 2022, they will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used. See full announcement: Basic Authentication and Exchange Online – September 2021 Update.

It has been years we are using Basic Authentication (Legacy Protocols), In this modern workflow demands more powerful and secured methods to connect with linked applications and devices. Traditionally, Basic authentication is enabled by default on most servers or services and is simple to set up. Basic authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services.

We all must adopt new security strategies such as Zero Trust (Never Trust, Always Verify), or apply real-time assessment policies when users and devices access corporate information. These alternatives allow for intelligent decisions about who is trying to access what from where on which device rather than simply trusting an authentication credential that could be a bad actor impersonating a user

What we are changing

Microsoft removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.

Also disabling SMTP AUTH in all tenants in which it’s not being used.

How do you know if your users will be impacted?

Simply, to identify whether an app (i.e., Outlook for Desktop) is configured using Basic Authentication, find the difference between authentication prompts shown below.

What if I want to block Basic authentication now?

Here’s a table summarizing the options for proactively disabling basic authentication

Security Defaults– Blocks all legacy authentication at the tenant level for all protocols
– No additional licensing required
– Cannot be used together with Azure AD Conditional Access policies
– Potential other impact such as requiring all users to register for and require MFA
Exchange Online Authentication Policies– Allows for a phased approach with disablement options per protocol
– No additional licensing required
– Blocks basic authentication pre-auth
Admin UI available to disable basic authentication at org-level but exceptions require PowerShell
Azure AD Conditional Access– Can be used to block all basic authentication for all protocols
– Can be scoped to users, groups, apps, etc.
– Can be configured to run in report-only mode for additional reporting
– Requires additional licensing (Azure AD P1)
– Blocks basic authentication post-auth

The Easiest way to start with Modern Authentication is Security Defaults:

Enabling Security Defaults

In next article, we will cover SMTP AUTH….

Thank you for taking your time here.

Leave a Comment