On March 7, 2018 the Microsoft Exchange Team announced that on October 13, 2020 it would stop the support for Basic Authentication (also called Legacy authentication) for Exchange Web Services (EWS) in Exchange Online (EXO), the version of Exchange offered as a service part of Office 365. EWS is a web service which can be used by client applications to access the EXO environment. The team also announced that EWS would not receive any feature updates anymore, and suggests customers to transition towards using Microsoft Graph to access EXO.
One and a half year later, on November 20, 2019 the Exchange Team also announced to stop supporting Basic Authentication for Exchange ActiveSync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP) and Remote PowerShell on October 13 2020 as well. Authenticated Simple Mail Transfer Protocol (SMTP) will stay supported when used with Basic Authentication.
Instead of supporting Basic/Legacy authentication Microsoft will move towards only supporting Modern Authentication for most of the methods used to connect to Exchange Online.
So what is this Legacy/Basic and Modern Authentication exactly?
When using Basic/Legacy Authentication application sends a username and password with every request to Exchange Online which either forwards the credentials towards Azure AD or a federated authentication provider like Active Directory Federation Services (ADFS). The problem with Basic/Legacy authentication is that it’s vulnerable to brute force or password spray attacks.
Modern Authentication is based on OAuth 2.0 and the Active Directory Authentication Library (ADAL) providing token based authentication. OAuth 2.0 in this case is the protocol being used, and ADAL is used to authenticate against Azure AD.
Token based authentication, as described by the World Wide Web Consortium (W3C):
“The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource – without using their username and password. Once their token has been obtained, the user can offer the token – which offers access to a specific resource for a time period – to the remote site. Using some form of authentication: a header, GET or POST request, or a cookie of some kind, the site can then determine what level of access the request in question should be afforded.“
So Microsoft wants you to move towards Modern Authentication since it’s a more secure solution. Another big advantage of using Modern Authentication is that it can leverage Azure AD Conditional Access, giving you the option to force MFA for users among other options. See my blogpost series on Azure AD Conditional Access for more information about implementing Conditional Access..
How can I check whether Modern Authentication is enabled or not?
If your tenant was created after August 1, 2017 Modern Authentication is turned on by default, that does not mean that in the meantime someone disabled Modern Authentication of course.
The easiest way to check if Modern Authentication is enabled is by looking in the Microsoft 365 Admin Center. Once in the Admin Center go to Settings -> Settings – > Modern Authentication. Here you can check if Modern authentication is enabled.
The other way to check whether Modern Authentication is enabled is by using PowerShell, below an example on how to do this using Cloud Shell.
This is not all though, since it’s possible to define how users can connect to their mailbox on the properties of the user.
Microsoft 365 Admin Center -> Users -> Active Users -> Select User -> Mail -> Email apps and select Manage email apps.
What about other Office 365 Services?
Besides Exchange Online also SharePoint online (SPO) and Skype for Business (SfB) Online can be using basic/legacy authentication as well. While busy with the transition, you might want to consider moving those workloads to Modern Authentication as well.
Check SharePoint Online for basic/legacy authentication
Checking whether SPO is using basic/legacy authentication is depending on two settings, which can be displayed using the Get-SPOTenant commandlet in PowerShell. The first one is OfficeClientADALDisabled, which when set to true specifies that Modern Authentication is disabled. The second one, LegacyAuthProtocolsEnabled, when set to True this enables Office clients using non-modern authentication protocols (such as, Forms-Based Authentication (FBA) or Identity Client Runtime Library (IDCRL)) to access SharePoint resources.
Check Skype for Business Online for basic/legacy authentication
Checking whether Skype for Business Online is configured for basic authentication is described in details by Ronni Pedersen in his blog: “Enable modern authentication for Skype for Business Online“
Am I safe if Modern Authentication is enabled?
Even if you have Modern Authentication enabled, if a user is still able to access his/her mailbox using legacy/basic authentication. You can either disable this access via the user properties as described below, or you can enable a Conditional Access policy, see: How to: Block legacy authentication to Azure AD with Conditional Access.
What to do if you don’t have Modern Authentication enabled?
If Modern Authentication is not enabled, changes are really high that clients still access EXO using basic/legacy authentication. Most current email clients support Modern Authentication and will automatically switch to Modern authentication once your tenant has been switched to Modern Authentication enabled. Outlook 2013 needs some extra registry keys for example in order for Modern Authentication to be used.
Even though some of the applications support Modern Authentication, they potentially have to be reconfigured. For example an Outlook client which uses IMAP to connect to the EXO mailbox, should be reconfigured to start using the “default” Outlook Desktop option via Mail API (MAPI). Microsoft has stated that they are working on POP and IMAP implementations which work with Modern Authentication. If you really have a valid case of keeping POP and IMAP enabled for some clients, then make sure that once Microsoft provides the option for modern authentication that you transition towards that solution.
The challenge is with older email clients (Outlook 2010 and others), services and scripts which use EWS or scripts which still use basic/legacy authentication. iOS and MacOS support Modern Authentication in their most recent versions, as with Android it gets tricky since there are so many versions, therefore Microsoft recommends switching to the Outlook App for using email hosted by EXO. Extra advantage here is that you can manage the Outlook app using Mobile Application Management (MAM).
In order to get an idea of what you are dealing with, it’s important to first measure whether or not Basic/Legacy authentication is being used or not, this can be done using either Azure AD sign-ins logging, Azure AD workbooks or other methods (f.e. using KQL queries when you send your Azure AD logs to a Azure Log Analytics workspace).
Azure AD sign-ins logging
Go to the Azure Active Directory admin center, and browse to sign-ins. Add filters for Client app and Application.
For Client App select the following client apps: Auto Discover, Exchange ActiveSync, Exchange Online PowerShell, Exchange Web Services, IMAP4, MAPI over HTTP, Offline Address Book, Other Clients, Outlook Anywhere (RPC over HTTP), Outlook Service, POP3 and Reporting Web Services.
If you also filter on Application (starts with Office 365 Exchange Online) you will get a nice overview. In the picture below you can find a nice (anonymized) overview of clients still using Legacy/Basic Authentication to access EXO.
You can export the results, and work from there in Excel, allowing you to sort etc.
Use the Sign-ins using Legacy Auth workbook
Another option is to use the Sign-ins using Legacy Auth workbook
Steps to migrate from Basic/Legacy authentication to Modern Authentication
Step 1: Determine if you are affected, the longer you are running Exchange Online the higher the chance
Step 2: Determine which users are still using Basic/Legacy authentication, if you have processes running using EWS transition those to use the Microsoft Graph.
Step 3: Determine if these users are using a mail client which supports Modern Authentication, if you have clients which do not support Modern Authentication you must upgrade those clients first
Step 4: Turn on Modern Authentication and verify whether clients connect to EXO using Modern Authentication, you can check this for example in the Outlook Connection Status which should display Bearer* instead of Clear* – see this article for more information.
Step 5: Continue with clients still using MAPI over HTTP, POP3, IMAP4 and help users to transition to MAPI – you can do this by automation, creating user instruction or helping out those users one by one depending on amount and diversity of solutions used
Step 6: Disable all protocols using basic/legacy authentication on the mailboxes of the users
Step 7: Keep measuring whether basic/legacy authentication is used, once there are no clients anymore using basic/legacy authentication, enable the “Block legacy authentication to Azure AD” Conditional Access policy to make sure that the door stays closed.
Microsoft disabling basic/legacy authentication on October 13 this year can have a huge impact on your organization if your clients are still using basic/legacy authentication. If you start today, you should still have enough time to make sure that you are ready for the moment that Microsoft flips the switch. Even though there is a chance that Microsoft will postpone the change if they determine that many customers have not made preparations, the switch will be performed in the near future. So you should better be prepared.
Improving Security – Together, September 20th 2019
Basic Auth and Exchange Online – February 2020 Update, February 25th 2020