Microsoft is on a crusade against Basic Authentication, which they called “an outdated industry standard” for which threats have only increased over time.

Microsoft has announced that come October 2022, they will disable support for Basic Authentication for all Exchange users. Before then, if Microsoft notices that you are not using Basic Authentication, they will disable support well before this.

More interestingly, however, if they notice that you are using it, they are planning to randomly disable support for the protocol from 12-48 hours, in an attempt to force action.

Microsoft writes:

IMPORTANT: Beginning early 2022, we will selectively pick tenants and disable Basic Auth for all affected protocols except SMTP AUTH for a period of 12-48 hours. After this time, Basic Auth for these protocols will be re-enabled, if the tenant admin has not already re-enabled them using our self-service tools.

The approach seems somewhat harsh, but Microsoft says it’s for your own good, given how insecure Basic Authentication is.

Admins will be notified in Message Centre of the plans to disable support for Basic Authentication for a limited time, and they have the opportunity to opt-out of the action, though Microsoft hopes that it will prompt those admins to upgrade their clients to Modern Authentication instead.

Admins can read all the details at Microsoft here.

Comments