So what clients are using basic authentication? The most recent version of Windows 10 Mail and Calendar supports Office 365. In my next blog (Part II) I will explain more about how to monitor basic authentication and how to start testing what happens when disabling basic authentication.

Please log in using one of these methods to post your comment: You are commenting using your WordPress.com account.

Ignite 2020 saw the public preview of Azure Arc enabled data services, the latest step in Microsoft's bid to demystify multicloud. Once applied they can no longer use basic authentication to logon to any Office 365 service. The extension is just for organizations currently using Basic Authentication with Exchange Online. The client contacts the server the first time and you enter your credentials in a web frame, this is a server-based web frame and when the credentials are entered two tokens are generated: Source: Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow.

By doing this Microsoft increases security in (especially) Exchange Online, since basic authentication is a perfect attack vector for malicious users. Basic authentication is enabled by default in all Office 365 implementations unless you disable it.
We will publish more details on these as we make progress. Microsoft Windows 10 Mail and Calendar was previously configured using Exchange protocol. Of using Outlook for iOS in combination with an on-premises mailbox. There are a few things to be aware of.

Microsoft has changed their plans due to the Covid-19 crisis going on at the moment. Outlook 2010 is the most common, but also lots of ActiveSync clients, POP3 and IMAP4 clients, PowerShell and Exchange Web Services (scripts and tools!) Change ), You are commenting using your Facebook account. The change affects their use of Remote PowerShell. Microsoft also will disable Basic Authentication if it detects that Basic Authentication isn't being used.

Use the connection information to discover devices/clients that are using basic authentication. In Outlook 2013 you had to set some registry keys, but in Outlook 2016 and higher it is enabled by default. ( Log Out /  Basic authentication is a less secure authentication method which opens your Office 365 mailbox to cyberattacks like credential stuffing, brute force and password spray. In this blogpost I’ll try to dive a bit deeper into authentication and explain what is going to happen. Kindle Fire Mail application does not support modern authentication. are still using basic authentication. Organizations dealing with the end of Basic Authentication likely will experience some pains in upgrading systems. Important: Enabling Password Security in Office 365 (email) is recommended and should only be disabled as required for use with some non-Microsoft clients.

The following screenshot is an animated slide from the presentation showing the authentication flow between a client, Exchange Online, Azure AD and the on-premises Domain Controller: Modern Authentication is based on the OAuth2 framework.

I leave it up to your imagination what will happen when Microsoft stops support for basic authentication (step 1 in the screenshots above) this October!

Once you have reconfigured devices/clients to use modern authentication.

Modern authentication is a token-based authentication mechanism and as such it has similarities with federation services.
Basic Authentication also doesn't support multifactor authentication, a secondary means of verifying user identities, which Microsoft recommends for organizations.

A few new details in that respect were added in Microsoft's Friday announcement: We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities.

Microsoft has announced the release of its "Digital Defense Report," which is described as "a reimagining" of Microsoft's "Security Intelligence Report" (SIR). Problems? The end date for Basic Authentication on Exchange Online previously was Oct. 13, 2020, but Microsoft is now pushing it out due to uncertainties surrounding the "COVID-19 crisis." To improve security typically an SSL connection is used, so the connection between the client and the server is encrypted.

Microsoft will stop support for basic authentication in October 2020 as outlined in the following blogpost: Basic Auth and Exchange Online – February 2020 Update. Change ), You are commenting using your Twitter account. The access token is constantly renewed (and thus no need to re-authenticate manually) until it cannot be renewed, for example when the password expires, the account is blocked (the access token is revoked) or when a Conditional Access policy can no longer be applied.