by Jeyakumar Durai (JD)
Cloud Architect
Let’s learn the difference between the basic and Modern authentication to understand why Microsoft is moving from the Basic auth to Modern.
Basic authentication is considered a weak authentication protocol in which the username and password is sent in with every authentication request, and those credentials are also often stored or saved on the device. This makes it easier for attackers to capture the credentials and use it against the endpoints. Modern authentication (often referred as OAuth 2.0) is a token-based authorization. The tokens have a limited usable lifetime and are specific to the applications and resources for which they are issued, so they cannot be reused, thus making it more secure.
Microsoft has been driving efforts to deprecate the Basic Authentication from the M365 tenants worldwide since 2019. Per the Microsoft blog, Microsoft will start to turn off the Basic Authentication on M365 tenants starting October 1, 2022, permanently and there is no way to enable the Basic Authentication after the date.
In the meantime, Microsoft has already begun to act by disabling Basic Authentication for 24 to 48 hours to see the usage and alert the administrators. In such cases, the administrators had to enable Basic Authentication manually using the M365 support page. After October 1, 2022, the administrators will not be able to enable Basic Authentication- all users, devices, applications must upgrade to Modern Authentication to continue accessing M365.
How to check Legacy Authentication usage in your organization’s tenant?
Navigate to Azure Active Directory and open the “Sign-ins” Log. Using the Filters, set the date to past 7 days or 1 month and select all legacy authentication protocols under the “Client app”. If legacy authentication results are present, then those are user accounts and logins using Basic Authentication in the tenant to connect to Exchange Online, or other services.
How to switch from Legacy to Modern Authentication?
- If Outlook for Windows is connecting using Basic Authentication, enable the Modern authentication in M365 per this article.
- If Third-Party applications are utilizing POP/IMAP protocols, check with the relevant vendor and look for upgrading of applications and services to use OAuth2.0.
- If Mobile Device Management (MDM) solutions are used to manage mobile devices, create modern configuration profiles using OAuth and deploy it to devices. Refer this article for more information.
- If PowerShell scripts are using basic authentication, upgrade the scripts to use the V2 module and modern authentication protocols.
How to disable Basic Authentication in the Microsoft Azure tenant?
The best way to disable all Basic Authentication protocols in an organization’s tenant is to create an Authentication Policy having all the basic protocols disabled and assign the Authentication Policy to all the users in the tenant. Please see this article to see on how to set up the Authentication Policy.
The Basic authentication can be disabled using Microsoft Conditional Access policies or by disabling protocols on a per mailbox basis. However, these methods blocked the protocol, post-authentication, which implies the credentials could still be cached on devices. Microsoft recommends using Authentication Policies to disable Basic Authentication as this blocks access at the Pre-authentication stage and inherently blocks legacy authentication.
Helient strongly recommends taking the necessary steps to check Legacy Authentication usage in your company’s tenant and upgrade/enforce Modern Authentication prior to October 1, 2022. If you would like more information or assistance, please contact our industry-leading experts at service@helient.com.