Deprecation of Basic authentication for Exchange Online How to switch to modern authentication?

Here’s an important update that still keeps some security pros awake at night.

From January 2023, Microsoft will permanently switch off the Basic Authentication protocols for Exchange Online and services that use it. There is quite a comprehensive guide to it on their website but I will also summarize some key points here.

If you’ve already moved to or use Modern Authentication, congratulations! You can skip the rest of this article.

But if you’re among those who are yet to address the issue, you might want to stick around, so you know what to do.

What is Basic Authentication?

Basic Authentication is, in essence, the simplest way to log in to an application. All a user needs to do is provide their username and password, and they’re in.

Sounds easy enough, right? It is. For your users, and for potential attackers who might want to get into your systems.

Basic Authentication doesn’t provide any additional protection against account takeover, meaning that using it puts your resources at risk of unauthorized access.

Simply put, there’s very little stopping anyone from getting your (digital) stuff.

This is why Microsoft has been phasing out this authorization standard since around 2019. Now that the final stage of the process is upon us, it really is the last chance to update your security protocols to Modern Authentication.

Why is Modern Authentication better?

New may not always mean better, but in this case, it does. With technology evolving at a rapid speed, so do attack methods. Your security needs to keep up and without this service, it simply can’t.

Modern Authentication combines additional layers of authentication methods (like MFA, client certificate-based auth or 3rd party identity providers) with OAuth authorization, permitting e.g. features like conditional access.

With these additional functionalities, you can protect your resources with more than a password, adding verification steps or security checks, so you can be sure that users logging into your environment are who they say they are and only access the resources they are entitled to.

What will happen if I don’t disable Basic Authentication?

Microsoft is in the process of removing Basic Authentication functionality for multiple protocols. If Modern Authentication is not enabled in its place, users won’t be able to authenticate in Exchange services.

Long story short – if you use Outlook, your e-mails won’t work until you make the upgrade.

Until the end of the year, you can request for Basic Authentication to be re-enabled for individual protocols if you need it (details here). It’s not the recommended course of action but as a last resort, it is available by sending a request to Microsoft.

From January 2023, this option will no longer be available and Basic Authentication will be disabled everywhere, permanently.

Do many services use Basic Authentication?

Actually, it is not all just about the e-mail. Because Basic Authentication is so simple, you will find it all over the place. It was commonly used with applications when the need of access to Office 365 or e-mail was required.

With Basic Authentication being phased out you might encounter cases of failing applications or business processes that leveraged it to connect to resources like SharePoint sites or user Inbox.

If your applications start to break on such activities, Basic Authentication might be one of the key suspects. How to fix it?

Unfortunately, there is no easy way to provide a catch-all fix in a single e-mail as it depends on the particular application stack. In general, it is to switch an app to modern authentication or certification-based authentication.

Need help or dealing with a different application? You know whom to call! But seriously, if you need a hand with this, let us know.

How to enable Modern Authentication in Microsoft 365?

When it comes to Microsoft services, there are two ways to switch on Modern Authentication if you haven’t yet. The easiest option is to do it via the M365 Admin Center. Go to Settings -> Org Settings -> Modern Authentication and check the box stating “Turn on modern authentication for Outlook 2013 for Windows and later (recommended)”.

M365 Admin Center

You can also enable it using PowerShell with this command:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

You can verify it using:

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

For full instructions visit this page.

Where can I get more information?

Naturally, I wouldn’t leave you without support, so here are some helpful links where you can find more guidance.

• Original announcement: Improving Security – Together
• Up to date timeline: Basic Authentication Deprecation in Exchange Online – September 2022 Update
• Check also your Message Center for regular updates from Microsoft. You will be able to find details specific to your environment there.

It might also be useful for you to check out this Microsoft Authentication library issuing security tokens for calling protected APIs:

• Overview of the Microsoft Authentication Library (MSAL)
• Microsoft Authentication Library (MSAL) for .NET, UWP, NetCore, MAUI, Xamarin Android and iOS