Microsoft delays disabling Basic Authentication for several Exchange Online protocols 'until further notice'

Microsoft has shifted gears on plans to disable Basic Authentication for five Exchange Online protocols this year, provided your tenant is actually using them.

It's a change from previous proclamations on the issue and is in recognition of the fact that some IT admins simply haven't got round to dealing with the problem yet.

After all, the world has changed considerably since the last announcement and IT professionals have had their hands full with an unexpected exodus from the office.

The company has also tweaked how the disabling will happen.

Most importantly, "until further notice" Basic Auth will not be disabled for any protocols a tenant is using. It will, however, be disabled for protocols that are enabled (likely through a legacy setting that everyone has forgotten about) but not being used. Microsoft plans to check usage records over the next few months to check for those unused protocols.

For those curious what "further notice" actually means, Microsoft elaborated: "We will provide a minimum of twelve months notice before we block the use of Basic Auth on any protocol being used in your tenant."

It will also be adding MAPI, RPC, and Offline Address Book (OAB) to the list of protocols for which Basic Auth will be disabled should they not be in active use.

Microsoft would dearly like organisations to make the switch to Modern Authentication. Replete with multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party SAML identity providers, and based on the Active Directory Authentication Library (ADAL) and OAuth 2.0, it is a good deal more secure than the venerable Basic Authentication.

It was also enabled for all new tenants from 1 August 2017. Enabling for those created earlier required some manual intervention.

For many, however, older versions of little-used apps such as, er, Outlook for Windows and Mac present the biggest headache. Outlook 2013 for Windows can use Modern Authentication and Outlook for Mac got the feature in a 2016 update. Updating a fleet of legacy hardware and software in the midst of a pandemic is far from ideal even if important from a security standpoint.

The move has not been greeted with delight. One user said: "I am disappointed that Microsoft is not taking a stronger stance against basic authentication and disabling it (excluding SMTP) outright."

Another said: "We have worked for nearly two years to push our app developers both internal and external to modern auth. We've put in a tremendous amount of work and now Microsoft is backtracking on this... Microsoft not disabling it implies consent to use and will result in third party developers avoiding the update. This is very disappointing news."

Greg Taylor, director of product marketing for Exchange Server and Exchange Online, attempted to address the issues: "We're not backtracking, if anything, by increasing the number of protocols we're covering we're actually doing more in the long term. Timing is the biggest challenge, nothing more."

The list of protocols for the Basic Authentication chop has indeed grown, and stands at EWS, EAS, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB. However, the proviso that the axe swings only for those not in use, with no firm deadline for when users must move on.

Twitter was, as ever, its usual supportive self for IT teams that had yet to make the jump. ®

I mean that this is only excuse for really lazy IT departments that they should not care. Because if they do not care, you step back.

— Petr Vlk (@Kazzan) February 4, 2021