Microsoft disables Basic Authentication for Exchange Online

For years, applications have been using basic authentication to connect to servers, services, and API endpoints. Basic authentication simply means that the application sends a username and password with every request, and that data is often also stored on the device. Traditionally, basic authentication is enabled by default on most servers or services, and it’s easy to set up. Simplicity isn’t a bad thing, but basic authentication makes it easier for attackers to capture credentials (especially if the credentials aren’t protected by TLS). It increases the risk of the stolen credentials being misused on other endpoints or services.

Basic authentication outdated industry standard

Basic authentication is an outdated industry standard. Its threats have only increased further in recent years. Today, there are better and more effective alternatives to user authentication. At Universal we strongly recommend our customers to apply security strategies such as Zero Trust (never trust, always verify) and implement  additional security policies for users and devices when accessing corporate resources. These alternatives enable intelligent options to decide about who tries to access what,  from what location and which device, rather than simply relying on a username and password that could be used by a malicious person to impersonate a legitimate user.

Legacy protocol in Exchange Online

Microsoft removes the ability to use basic authentication in Exchange Online for:

  • Exchange ActiveSync (EAS)
  • POP
  • IMAP
  • Remote PowerShell
  • Exchange Web Services (EWS),
  • Offline Address Book (OAB)
  • Outlook for Windows, and Mac
  • In addition, SMTP AUTH is disabled in all tenants in which it is not used.

Next step: modern authentication

This decision requires customers to move from apps that use basic authentication to apps that use modern authentication. Modern authentication (OAuth 2.0 token-based authorization) has many advantages and improvements that help reduce the problems in basic authentication. For example, OAuth access tokens have a limited duration and are specific to the applications and resources for which they were issued, so they cannot be reused. Enabling and enforcing multifactor authentication (MFA) is also easy with modern authentication.
We are here to help you determine how this impacts your organization. Reach out to us for more information on security as a service or book your free quick scan today!

Share this:


Recently Posted