If you're still using Microsoft’s Basic Authentication (Basic Auth), you're in for a rude awakening on October 1. That's when Microsoft is going to start disabling Basic Auth for protocols in Exchange Online that have yet to be turned off.
Yes, it’s happening, and this is what Microsoft reported:
Microsoft is discontinuing the use of basic authentication in Exchange Online for various applications, including but not limited to: EAS, POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows and Mac.
They will also disable SMTP AUTH in any tenant that is not using it.
The deadline for its replacement is approaching quickly, and many users are still using it despite reminders from Microsoft. If you're still on Basic Auth, the company recommends switching to Modern Authentication (OAuth 2), which uses token-based authorization. Its access tokens have a limited functioning lifespan and are restricted to the applications and resources for which they are given, so they cannot be reused.
In the past few months, we’ve contacted our client’s technical teams to help with this transition. But, to recap, let’s take a look at some alternatives and how the deprecation is going to affect you if you are one of our clients.
Alternatives to Basic Auth
There are a number of alternatives to Basic Auth. OAuth is a popular choice for authentication and authorization, and SAML is another option for those who require single sign-on capabilities. LDAP and Kerberos are both well-established protocols that can be used for authentication, and NTLM is also an option if you're using Microsoft products exclusively. And there is more:
- OAuth 2.0: A standard protocol that allows users to authenticate without having to enter their credentials each time.
- SAML 2.0: An XML-based protocol that allows single sign-on (SSO) between different applications.
- Kerberos: A network authentication protocol that uses strong cryptography to provide security for sensitive information.
- Azure Active Directory: It is a cloud-based directory service that can be used to manage user identities and access control.
- Forms-based authentication: This is a legacy authentication method that is still supported by EWS.
- JSON Web Token (JWT): A popular alternative to OAuth that allows you to create and validate tokens yourself.
- NTLM: It is also a Microsoft protocol. NTLM is more secure than Basic Auth and is already supported by many Microsoft products.
We also offer several measures to help protect your data, even if you are still using Basic Authentication:
- Two-factor authentication: An additional layer of security that requires users to enter a one-time code, in addition to their username and password.
- Multi-factor authentication: A combination of two or more factors, such as a password, a fingerprint, and a facial recognition scan.
- Encryption: A process that encodes information so that it can only be read by authorized individuals.
These alternatives provide more secure authentication for users and are less likely to be deprecated in the near future.
How the deprecation of Basic Auth affects InvGate clients
Microsoft recommends switching to OAuth 2.0, which is a more secure authentication method. If you're using any of our InvGate products, you must have noticed that we included some reminders for you to take action. Once the deprecation is active, the following services will be affected.
InvGate Service Desk
Firstly, the incoming email configuration will stop working. Because of this, you must reconfigure incoming email accounts before that moment. Regarding web service calls, it's possible the new configuration will interrupt the execution of those calls, meaning it will stop working too.
And, for the time being, the Basic Authentication deprecation will not affect existing configurations of outgoing email. However, we recommend that you reconfigure outgoing email accounts in order to avoid issues in the future.
InvGate Insight & Assets
Although the deprecation may not impact any current configurations of outgoing email, we recommend that you reconfigure outgoing email accounts. By doing so, you will avoid any future problems.
To switch to OAuth 2.0, you'll need to create a new Outlook app in the Azure portal and then update your configuration to use the new app's credentials. For more information on how to do this, please contact us.
We understand that the deprecation of Basic Auth can be disruptive. That's why we're committed to helping our customers transition to the new authentication methods with minimal disruption.
So, if you're still using Basic Auth, you might want to spend some time migrating to another option since it’s no longer supported by Microsoft and is considered unsafe. But, if you are an InvGate Service Desk client, we’ll take care of it and guide you all the way.
In addition, our products provide several features that make it easy to transition from Basic Auth to another authentication method. For example, our products allow you to migrate your existing Basic Auth connections to OAuth 2.0 with just a few clicks since we support EWS Microsoft Modern Auth.
If you need a more detailed explanation, we have created a thorough guide with information about the services that will be affected and the steps to take. It should be in the hands of your technical team already.
Frequently Asked Questions
Why is Microsoft deprecating Basic Authentication?
There are several reasons why Microsoft is deprecating Basic Authentication. First, it is not as secure as other authentication methods available today. Second, it does not support modern features such as multi-factor authentication. Finally, Microsoft is moving to a more unified authentication model that will work across all of its products, and Basic Authentication does not fit into this model.
When is Microsoft deprecating Basic Authentication?
Microsoft will deprecate Basic Authentication effective October 1, 2022. You have the option to request the Microsoft Support team for an extension until December 31, 2022, on the accounts used for incoming email configurations (IMAP/POP3) with Basic Authentication. If you decide to carry out this process, you need to notify your InvGate's Support team.
What does the deprecation of Basic Auth mean for me?
If you are using Microsoft products that rely on Basic Authentication, you will need to migrate to a different authentication method. This may require some changes to your existing infrastructure, but Microsoft is providing resources to help with the transition.
What are some other authentication methods available?
There are many other authentication methods available, including modern ones such as multifactor authentication. Some of the most popular options include Azure Active Directory (Azure AD), Kerberos, JWT, and SAML.
What are the benefits of using a modern authentication method?
There are many benefits of using a modern authentication method, such as improved security, support for multi-factor authentication, and a more unified authentication experience.
What will happen if I continue to use Basic Authentication?
Your access to web-based services may be limited or restricted. Additionally, you may find it difficult to integrate with newer technologies. We recommend that you migrate to another authentication method such as OAuth.
How do I migrate to another authentication method?
We recommend that you consult with your IT staff or a professional consultant to determine the best authentication method for your needs. Generally, OAuth is a good choice for most users.