Companies that use Active Directory for identity management have relied on a basic authentication to give users access to workstations, network resources and other services within the environment. As more organizations use online services, this legacy authentication approach is not secure enough. Microsoft recognized the high risk associated with basic authentication and has pushed for a shift to the more secure modern authentication. Basic authentication support in Office 365 ends on Oct. 1, which makes it imperative for enterprises that rely on the platform to prepare for this Microsoft modern authentication deadline.
Why basic authentication falls short in security
On the technical front, there are several reasons why basic authentication is not a safe enough authentication method. Each login request to an application or website, even when using secure methods such as HTTPS, puts the enterprise at risk by transmitting the username and password, potentially leaking user credentials. Multifactor authentication (MFA) might be difficult or not possible with basic authentication in place. Lastly, basic authentication has also not received significant changes or updates to products that rely on it for authentication, such as the Microsoft identity platform.
For modern authentication, customers have several authentication alternatives that do not rely on the basic exchange of username and password, such as OAuth and SAML. These and other federation methods support a far more secure alternative to basic authentication that relies on token-based claim for access to internet resources and services. Microsoft modern authentication uses the OAuth2 protocol and security tokens that administrators use to approve or revoke access to resources. The modern authentication method eliminates some of the risks associated with the exchange of a username and password every time a user needs to authenticate.
Office 365 services that will be affected by the modern authentication deadline
Without a migration to modern authentication by Oct. 1, several areas related to the Office 365 will not function properly after Microsoft’s deadline.
Basic authentication in Exchange Online. Microsoft will stop support for basic authentication in Microsoft Exchange Online services on Oct. 1. Components related to the hosted email platform that will not function include Exchange Online for Exchange ActiveSync, Exchange Web Services, IMAP, Offline Address Book, POP and remote PowerShell.
Outlook client support for Exchange Online. After the deadline, some older versions of Microsoft Outlook will not receive email, including Outlook 2010 and Outlook 2013 for Windows and Outlook for Mac 2011. Organizations that use these legacy versions will need to upgrade to avoid any disruption.
Compliance and cybersecurity pressures. The increase in email phishing attempts and hijacked user accounts have many companies, including several cybersecurity firms, mandating the use of MFA for email. In Office 365, modern authentication is required for MFA.
How to turn on modern authentication
The switch to modern authentication affects the entire organization. It changes how the system authenticates users across a range of resources, including third-party apps, PowerShell scripts and the Microsoft Office suite. Microsoft offers an Azure Active Directory (AD) Sign-In report that shows the systems that rely on basic authentication to help administrators understand the scope of the migration effort.
If users run a version of Outlook greater than 2013 that supports modern authentication, then the changeover is simple. Once modern authentication is enabled, the user restarts Outlook and reauthenticates.
For a tenant, administrators turn on modern authentication from the flyout menu in the Office 365 admin center at the Settings>Org Settings>Modern Authentication section. Exchange administrators also have the option to block the use of basic authentication prior to the October deadline by unchecking the options under the Allow access to basic authentication protocols section in the same menu.
Enable modern authentication with PowerShell
Administrators can use PowerShell commands to turn on modern authentication. First, the administrator must determine if modern authentication is already in use with the following command:
Get-OrganizationConfig | FTName, OAuth2ClientProfileEnabled
If the output is True, then the tenant is already configured with MFA. If it is False, the administrator can run the following command to set authentication to modern:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Plan ahead to avoid disruptions
With the deadline to sunset basic authentication fast approaching, companies do not have many other options to choose from other than to make the switch.
Organizations with outdated Office products may be the first ones to find they can no longer remain on these older versions. Enterprises that want to improve their security posture will find a migration to modern authentication improves their ability to mitigate some security gaps. Now is the time to prepare for the transition to prevent problems with email and other Office 365 services.