Exchange Online‘s Basic Authentication option is being ditched by Microsoft. The company has advised its customers not to use Basic Authentication and move to Modern Authentication in September 2021. However, many of the customers did not take any action. Now, Microsoft is making the second warning while stating that they will begin disabling the Basic Authentication at the beginning of October 2022.
Basic Authentication is risky
The company is currently disabling unused Basic Auth protocols from its tenants
The Basic Authentication is based on HTTP which the credentials are stored in plain text. The attackers can steal those credentials by intercepting the non-TLS connections. However, Modern Authentication utilizes access tokens for a limited time which can’t be used on any other sources. In addition to those, it is far more complicated to set up an MFA (multi-factor authentication) while using Basic Authentication.
The process of disabling Basic Authentication of Microsoft Exchange Online will include MAPI, RPC, Offline Address Book, Exchange Web Services, POP, IMAP, and Remote PowerShell protocols. The company says that they have already disabled it for millions of customers that are not using them. Microsoft also adds that utilizing Basic Authentication will leave the customers at great risk.