Table of Contents
Covid-19 Changing the Game
We live in fast-changing times. The results of the Covid-19 pandemic are being felt in many ways. Many people are working from home, conferences are being rescheduled until next year or going virtual, and Microsoft is being forced to reschedule planned developments in Office 365. Some things, like increasing the membership limit for Teams to 10,000 are being accelerated. Others, like the plan to remove basic authentication for five Exchange Online connection protocols, are being pushed out.
Basic Authentication is Still Bad
Basic authentication is bad for Exchange Online because it is a vulnerability often used as an attack vector. I strongly supported the original plan to remove basic authentication for ActiveSync, PowerShell, Exchange Web Service, and especially POP3 and IMAP4 in October 2020.
All the signs from Microsoft were that the Exchange product group wanted to make this happen and would hold the line. But pandemics have a funny habit of changing things, and so the product group has been forced to postpone removing basic authentication for the famous five protocols until some time in the second half of 2021.
Second Half of 2021
The lack of a definite target date is because no one know when the world will resume normal working. No doubt Microsoft wants to set a date that’s sooner rather than later, but for now July 1, 2021 is a good target date for planning.
In the meantime, new Office 365 tenants won’t get the chance to develop a bad habit because Microsoft is disabling basic authentication for the five protocols by default in those tenants. And in October 2020, they’ll get some satisfaction by disabling the protocols in tenants with no recorded use of basic authentication (in other words, Microsoft’s telemetry only records connections using modern authentication in the tenant).
Updates Coming for Affected Protocols
Updated 30 April 2020:
Microsoft is rolling out support for OAuth 2.0 support for SMTP AUTH and IMAP4 to allow developers to upgrade clients that use these now ancient (but beloved in parts) protocols. Support for POP3 is also in the works.
OAuth support is especially important for SMTP AUTH connections (used by applications and appliances to send email via Exchange Online). Although I can see how programmers will update POP3 and IMAP4 email clients to keep them working with Exchange Online, I have a harder job imagining how device manufacturers will get to update all the multi-function devices that send email like job completion notifications, Which is why Microsoft is holding to the line that they don’t plan to disable SMTP AUTH (for now).
Remote PowerShell will also be updated, and anyone using PowerShell to work with Exchange Online today is advised to start using the Exchange Online Management module, which supports MFA and OAuth. More work is needed to allow PowerShell scripts to run in unattended mode. That’s expected to appear in a future update for the module quite soon.
The Podcast Blues
The funny thing is that I was sure in my own mind that this would not happen and said so quite passionately when Paul Robichaux and I recorded episode 18 of our Office 365 Exposed podcast last night. I’ll have to see if Paul can edit those words out as he tweaks the recording for release…
Tracking dates is hard, especially inside an environment like Office 365 changes all the time. Subscribe to the Office 365 for IT Pros eBook and let us do the heavy lifting of date checking.
Hello,
Is there any article, or explanation how should we handle accounts used in scripts that use basic authentication? Is there any explainable alernative? Thanks!
The scripts you’re concerned about are those involving Exchange Online, so the first thing to do is to start using the new Exchange Online management module. This module includes the new REST-based cmdlets and is designed for use with MFA/OAuth (modern authentication). It replaces the old Remote PowerShell implementation, which is one of the connection protocols that will be disabled for basic auth. The Exchange Online management module needs some more work to allow it to run with modern authentication as a scheduled process, but that’s on the way.