On March 7, 2018 the Microsoft Exchange Team announced that on October 13, 2020 it would stop the support for Basic Authentication (also called Legacy authentication) for Exchange Web Services (EWS) in Exchange Online (EXO), the version of Exchange offered as a service part of Office 365. EWS is a web service which can be used by client applications to access the EXO environment. The team also announced that EWS would not receive any feature updates anymore, and suggests customers to transition towards using Microsoft Graph to access EXO.

One and a half year later, on November 20, 2019 the Exchange Team also announced to stop supporting Basic Authentication for Exchange ActiveSync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP) and Remote PowerShell on October 13 2020 as well. Authenticated Simple Mail Transfer Protocol (SMTP) will stay supported when used with Basic Authentication.

Instead of supporting Basic/Legacy authentication Microsoft will move towards only supporting Modern Authentication for most of the methods used to connect to Exchange Online.

So what is this Legacy/Basic and Modern Authentication exactly?

When using Basic/Legacy Authentication application sends a username and password with every request to Exchange Online which either forwards the credentials towards Azure AD or a federated authentication provider like Active Directory Federation Services (ADFS). The problem with Basic/Legacy authentication is that it’s vulnerable to brute force or password spray attacks.

Modern Authentication is based on OAuth 2.0 and the Active Directory Authentication Library (ADAL) providing token based authentication. OAuth 2.0 in this case is the protocol being used, and ADAL is used to authenticate against Azure AD.

Token based authentication, as described by the World Wide Web Consortium (W3C):

The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource – without using their username and password. Once their token has been obtained, the user can offer the token – which offers access to a specific resource for a time period – to the remote site. Using some form of authentication: a header, GET or POST request, or a cookie of some kind, the site can then determine what level of access the request in question should be afforded.

So Microsoft wants you to move towards Modern Authentication since it’s a more secure solution. Another big advantage of using Modern Authentication is that it can leverage Azure AD Conditional Access, giving you the option to force MFA for users among other options. See my blogpost series on Azure AD Conditional Access for more information about implementing Conditional Access..

How can I check whether Modern Authentication is enabled or not?

If your tenant was created after August 1, 2017 Modern Authentication is turned on by default, that does not mean that in the meantime someone disabled Modern Authentication of course.

The easiest way to check if Modern Authentication is enabled is by looking in the Microsoft 365 Admin Center. Once in the  Admin Center go to Settings -> Settings – > Modern Authentication. Here you can check if Modern authentication is enabled.

Machine generated alternative text:
x 
Modern authentication 
Modern authentication in Exchange Online provides you a variety of ways to increase 
security in your organization with features like conditional access and multi-factor 
authentication (MFA). 
When you use Modern authentication, Outlook 2013 or later will require it to log in to 
Exchange Online mailboxes. If you disable Modern authentication, those mailboxes will use 
basic authentication instead. 
Learn more about Modern authentication 
Enable Modern authentication 
Save changes
Modern Authentication setting in the Microsoft 365 Admin Portal

The other way to check whether Modern Authentication is enabled is by using PowerShell, below an example on how to do this using Cloud Shell.

Machine generated alternative text:
Microsoft Azure 
Powersnell O ? 
Requesting a Cloud Shell. Succeeded. 
Connecting terminal... 
Welccme to Azure Cloud Shell 
Type "az" to use Azure CLI 
Type '"help" to learn about Cloud Shell 
K)TD: Switch to Bash frcm PowerShe11 : bash 
VERBOSE: Authenticating to Azure . 
VERBOSE: Building your Azure drive . 
Azure : / 
PS Azure: Connect-DCPSSession 
Sesrcf7 resources, services. Enc docs (G+/) 
Q 
O 
WARNING: The names of some imported commands from the module 
bose parameter. For a list of approved verbs, type Get-Verb. 
WARNING: The names of some imported commands from the module 
bose parameter. For a list of approved verbs, type Get-Verb. 
Azure : / 
PS Azure: Get-(hganizationConfig I Format-Table Name,OAuth* 
' tmp_treuwtui. xbr ' 
' tmp_treuwtui. xbr ' 
-Auto 
include unapproved verbs that might make them less discoverable. 
include unapproved verbs that might make them less discoverable. 
To find the commands with unapproved verbs, 
To find the commands with unapproved verbs, 
run th 
run th 
Name 
INSIGHT24. or-microsoft. cæ 
Azure : / 
PS Azure:\> C] 
ulth2C1ientProfi1eEnab1ed 
True
Check if Modern Authentication is enabled using Azure Cloud Shell

This is not all though, since it’s possible to define how users can connect to their mailbox on the properties of the user.

Microsoft 365 Admin Center -> Users -> Active Users -> Select User -> Mail  -> Email apps and select Manage email apps.

Disable protocols for user

What about other Office 365 Services?

Besides Exchange Online also SharePoint online (SPO) and Skype for Business (SfB) Online can be using basic/legacy authentication as well. While busy with the transition, you might want to consider moving those workloads to Modern Authentication as well.

Check SharePoint Online for basic/legacy authentication

Checking whether SPO is using basic/legacy authentication is depending on two settings, which can be displayed using the Get-SPOTenant commandlet in PowerShell. The first one is OfficeClientADALDisabled, which when set to true specifies that Modern Authentication is disabled. The second one, LegacyAuthProtocolsEnabled, when set to True this enables Office clients using non-modern authentication protocols (such as, Forms-Based Authentication (FBA) or Identity Client Runtime Library (IDCRL)) to access SharePoint resources.

SharePoint Online settings

Check Skype for Business Online for basic/legacy authentication

Checking whether Skype for Business Online is configured for basic authentication is described in details by Ronni Pedersen in his blog: “Enable modern authentication for Skype for Business Online

Machine generated alternative text:
Administrator: Windows PowerSheII 
PS C: Import-PSSession 
SsfbcSessicn 
uleType Version 
c ript 
Name 
tmp_2pI ra3yh. c ka 
ExportedComma nds 
{CI ea r- CsOn I i neTeIephoneNumberReservat ion, 
Convert To-JsonF 
PS C: Get-CsOAuthConfiguration 
Identity 
PartnerAppIications 
uthServers 
Realm 
ervi ceName 
Global 
{ Na me=mi c rosoft . exc h a nee ; Appl i c at ion Id ent i fi er=øøøøøøø2- øøøø- affl - c eøø- øøøøøøø 
øøøøø; Realm= ; Appl i cationTrustL evel = Full ; Acceptsecurityldentifi erInformation=Fa 
e- effl - c eøø- ; Rea ; Appl i c at ionTrustL evel = F u I I ; Ac c ent 
Name=microsoft platformmonitoringse 
rvi c e; i cation Identifi er=44ff763b- 5dIf-4% b- 95 bf- +31 al 8757998; Realm= ; Appl i c 
ame=mi c nsoft . s kype ; Appl i c at ion Id ent i fi er=øøøøøøß4- øøøø- affl - c eøø- øøøøøøøøøøøø 
; Realm= ; ApplicationTrustL evel = Full ; Acceptsecurityldentifi erInformation=FaIse; E 
nabIed=True... 
{ Name=mi c rosoft . st s ; I s s u erld ent i fi - øøøø- øøøø- cøøø- øøøøøøøøøøøø ; Rea I 
m= ;metadatalJrI =https : / / accounts . accesscontnl . wi ndows . net 'metadata/ ; Auth 
Name 
= evosts ; Issuerldentifi er=sts . wi ndows . net; Realm= ;metadatalJrI =https : / / login . wind 
Ows . n et / common / F / 20ß7 - F ed erationmetadata . xml ; Authori z at ion 
UriOverride= ; Type=AzureAd ; Acceptsecurityldentifi erInformation=FaI s e} 
øøøøøøØ4- øøøØ- - ceøø- øøøøøøøøøøøø 
evosts 
https://pilot.outlook.com/autodiscover/autodiscover.svc 
0m; * . micnsoft.com 
: Allowed 
lientAuthorizationOAuthServerIdentity : 
ExchangeAutodiscoverlJrI 
lientAdaIAuthOverride 
dditionaIAudiencelJrIs 
PS C:
Skype for Business Online settings

Am I safe if Modern Authentication is enabled?

Even if you have Modern Authentication enabled, if a user is still able to access his/her mailbox using legacy/basic authentication. You can either disable this access via the user properties as described below, or you can enable a Conditional Access policy, see: How to: Block legacy authentication to Azure AD with Conditional Access.

What to do if you don’t have Modern Authentication enabled?

If Modern Authentication is not enabled, changes are really high that clients still access EXO using basic/legacy authentication. Most current email clients support Modern Authentication and will automatically switch to Modern authentication once your tenant has been switched to Modern Authentication enabled. Outlook 2013 needs some extra registry keys for example in order for Modern Authentication to be used.

Even though some of the applications support Modern Authentication, they potentially have to be reconfigured. For example an Outlook client which uses IMAP to connect to the EXO mailbox, should be reconfigured to start using the “default” Outlook Desktop option via Mail API (MAPI). Microsoft has stated that they are working on POP and IMAP implementations which work with Modern Authentication. If you really have a valid case of keeping POP and IMAP enabled for some clients, then make sure that once Microsoft provides the option for modern authentication that you transition towards that solution.

The challenge is with older email clients (Outlook 2010 and others), services and scripts which use EWS or scripts which still use basic/legacy authentication. iOS and MacOS support Modern Authentication in their most recent versions, as with Android it gets tricky since there are so many versions, therefore Microsoft recommends switching to the Outlook App for using email hosted by EXO. Extra advantage here is that you can manage the Outlook app using Mobile Application Management (MAM).

In order to get an idea of what you are dealing with, it’s important to first measure whether or not Basic/Legacy authentication is being used or not, this can be done using either Azure AD sign-ins logging,  Azure AD workbooks or other methods (f.e. using KQL queries when you send your Azure AD logs to a Azure Log Analytics workspace).

Azure AD sign-ins logging

Go to the Azure Active Directory admin center, and browse to sign-ins. Add filters for Client app and Application.

For Client App select the following client apps: Auto Discover, Exchange ActiveSync, Exchange Online PowerShell, Exchange Web Services, IMAP4, MAPI over HTTP, Offline Address Book, Other Clients, Outlook Anywhere (RPC over HTTP), Outlook Service, POP3 and Reporting Web Services.

Machine generated alternative text:
Authenticated SMTP 
Auto Discover 
Browser 
Exchange ActiveSync 
Exchange Online Powershell 
Exchange Web Services 
I M APA 
MAPI Over HTTP 
Mobile Apps end Desktop clients 
Offline Address Book 
Other clients 
outlook Any*ere over HTV) 
Outlook Service 
Reporting Web Services
Report options

If you also filter on Application (starts with Office 365 Exchange Online) you will get a nice overview. In the picture below you can find a nice (anonymized) overview of clients still using Legacy/Basic Authentication to access EXO.

Machine generated alternative text:
Client app : 13 selected 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 7 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
2/29/2020 PM 
Dete : Last 24 hours 
Show dates as: 
Local 
u. Application 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
Office 365 Exchange Online 
O 
Application starts with Office 365 Exchange Online 
Status 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
Success 
o 
Add filters 
Client app 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Exchange ActiveSync 
Conditional access 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied 
Not Applied
Azure AD Sign-in report

You can export the results, and work from there in Excel, allowing you to sort etc.

Use the Sign-ins using Legacy Auth workbook

Another option is to use the Sign-ins using Legacy Auth workbook

Machine generated alternative text:
Sign-ins using Legacy Auth 
TimeRange: Last 14 days v 
Success 
74.9K 
Apps O : All v 
Failure 
111 
Users: All v 
All Sign-ins 
175K 
Sign-in Count 
126 
12.222K 
3.504K 
112 
Protocols: All v 
Trend 
Legacy Auth Sign-ins by App and Protocol 
P Search 
Name 
v Office 365 Exchange Online 
Other clients 
MAPI over HTTP 
9093 
1M AP4 
Authenticated SMTP 
> Office 365 SharePoint Online 
> Common Data Service 
> Skype for Business Online 
v Microsoft Online Syndication Partner Portel 
Failure Count user Interrupted Count
Sign-in using Legacy Auth workbook

Steps to migrate from Basic/Legacy authentication to Modern Authentication

Step 1: Determine if you are affected, the longer you are running Exchange Online the higher the chance

Step 2: Determine which users are still using Basic/Legacy authentication, if you have processes running using EWS transition those to use the Microsoft Graph.

Step 3: Determine if these users are using a mail client which supports Modern Authentication, if you have clients which do not support Modern Authentication you must upgrade those clients first

Step 4: Turn on Modern Authentication and verify whether clients connect to EXO using Modern Authentication, you can check this for example in the Outlook Connection Status which should display Bearer* instead of Clear* – see this article for more information.

Step 5: Continue with clients still using MAPI over HTTP, POP3, IMAP4 and help users to transition to MAPI – you can do this by automation, creating user instruction or helping out those users one by one depending on amount and diversity of solutions used

Step 6: Disable all protocols using basic/legacy authentication on the mailboxes of the users

Step 7: Keep measuring whether basic/legacy authentication is used, once there are no clients anymore using basic/legacy authentication, enable the “Block legacy authentication to Azure AD” Conditional Access policy to make sure that the door stays closed.

Machine generated alternative text:
Sign-ins using Legacy Auth 
TimeRange: Last 14 days v 
Apps O : All v 
Users: All v 
Protocols: All v 
The query returned no results.
Modern authentication all the way

Conclusion

Microsoft disabling basic/legacy authentication on October 13 this year can have a huge impact on your organization if your clients are still using basic/legacy authentication. If you start today, you should still have enough time to make sure that you are ready for the moment that Microsoft flips the switch. Even though there is a chance that Microsoft will postpone the change if they determine that many customers have not made preparations, the switch will be performed in the near future. So you should better be prepared.

References

Upcoming changes to Exchange Web Services (EWS) API for Office 365, March 7th 2018

Improving Security – Together, September 20th 2019

Basic Auth and Exchange Online – February 2020 Update, February 25th 2020

Disable Basic authentication in Exchange Online

How to: Block legacy authentication to Azure AD with Conditional Access

Enable or Disable POP3 or IMAP4 access for a user

Azure AD Authentication Library for .NET

Enable modern authentication in Exchange Online

How modern authentication works for Office 2013 and Office 2016 client apps

Account setup with modern authentication in Exchange Online

Enable or disable modern authentication in Exchange Online for client connections in Outlook 2013 or later