The Death of Basic Authentication in Office 365

Tuesday, September 24, 2019
Microsoft posted the article, "Improving Security - Together" where they explain that they will be turning off Basic Authentication in Exchange Online for EWS, Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell on October 13, 2020. That means that only apps that support modern authentication using OAUTH 2 will be able to connect to Exchange Online after that time. There are currently no plans to override this behavior.

I applaud this move, since it greatly improves the security posture for your tenant and Office 365 as a whole. The vast majority of bad actors use Basic authentication (username/password credentials) for their attacks. That said, there are caveats you should be aware of.

Exchange ActiveSync is probably the most heavily utilized protocol in this list. EAS has been shipping with every version of Exchange since Exchange Server 2003. Millions of users across the globe count on it to manage emails from their mobile phones and tablets. Many of these users have moved over to the Outlook mobile apps for iOS and Android, but a very significant number are still using the native email apps on their phones.

Apple started supporting modern auth in iOS 11, so any reasonably up-to-date iOS device should be unaffected by the removal of Basic auth for EAS. Android is a different story. There are so many older devices out there with different Android versions from different vendors, it's hard to say which devices will be affected. Some versions may have native support for OAUTH 2 using the AppAuth for Android library, while some mail apps in the Play Store may have built-in support in the app (Outlook for Android is one example). In the end, you really need to test your apps.

The best way to do that is to setup or reconfigure a mail account on your mobile devices. If you're prompted for modern auth to setup your account, as below, you should be good to go.

OAUTH 2 (Modern Auth) prompt

If you get a Basic authentication prompt within the app, you're app probably doesn't support OAUTH 2. Download the Outlook mobile app for iOS or Android, or another email app that supports it.

The POP and IMAP protocols are less often used, but when they are, it's typically for app integration with a line of business app. Examples include help desk ticketing systems, ERP solutions, life-cycle management systems, etc. These apps are usually critical to the business, so anything that affects email connectivity must be carefully planned. Microsoft is planning to add OAuth support to both POP and IMAP in the next few months, but the apps that use these protocols must also be updated to support it. That means software updates for these LOB apps (assuming they will support OAUTH 2), possible additional support costs, contracts, etc. Plan ahead and talk with these vendors now to see how they plan to support OAUTH 2. You may even need to go so far as to change LOB solution providers.

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.