Goodbye Basic Authentication, Hello Modern Authentication

by | Aug 23, 2022 | Security, Web, Windows

Creative take of modern vs basic authentication: a modern laptop sparkles, while an outdated desktop computer cries.

Beginning on October 1, 2022, Microsoft is disabling the ability to connect to Microsoft services using legacy authentication protocols. Users are moving to modern authentication whether they want it or not. It is also up to the user to make the switch, and after October 1, they may not be able to connect at all. The apps that are affected by this are mail service applications like Outlook, Exchange Web Services (EWS), Remote PowerShell (RPS), POP and IMAP, and Exchange ActiveSync (EAS).

This will also affect the ability of third-party applications or custom-developed systems to connect to Microsoft if they are using the above methods to connect. These services are typically used to integrate with your company email or calendar. Examples of such applications include Autodiscover, MAPI over HTTP, IMAP4, POP3, and Exchange Online PowerShell.

Other services, such as POP/IMAP, EWS apps, and PowerShell scripts require changes in code or custom development in order to enable Modern Authentication. This is dependent on the specific application; it may not be possible at all for some. The May 2022 update from Microsoft contains more detailed instructions.

To check which applications are using Basic Authentication, you can use Azure Active Directory to check the status of apps. This answer is approved by Microsoft for more details. By choosing to filter your applications that use legacy authentication protocols, you can find what needs to be updated or replaced. The blog Cloud Tek Space also outlines three methods for identifying and disabling Basic Auth in your applications.

Another way this could impact Microsoft users is through mobile connections to email if someone is using a built-in application. Microsoft recommends users use the Outlook Mobile app for connecting your email to your mobile device.

Some providers affected have methods already to connect to their apps using OAUTH2 (also Modern Authentication). Others do not and will need to be upgraded or replaced. There will be no way to connect to Microsoft after October 1st.

Luckily, it will only affect Outlook users if they are using an application version that is ten-plus years old without updating in that entire time. If you are using an older version of Outlook, namely Outlook 2007 and Outlook 2010, you need to update as soon as possible. As part of the managed IT services SpireTech provides, nearly all our clients have already been using the latest version of Outlook, Outlook 365.

What is Basic Authentication vs Modern Authentication? Many applications, like Outlook, have had users automatically using Modern Authentication since 2016. You may be fully integrated already and have no idea. In short, Basic Authentication uses a login credentials dialog box when signing on, while Modern Authentication uses a web-based login page.

Here’s an example of Basic Authentication, taken from Microsoft’s announcement about the October 1 deadline:

And this is what an app using Modern Authentication might look like on sign-on:

Basic Authentication is a living fossil in the technical world; moving to Modern Authentication will increase your security and ensure your data is protected. With Basic Authentication, a user’s credentials (your username and password) is typically stored on the device being used. With such a simple system, it is easier for an attacker to exploit it and enter your credentials elsewhere.

With Modern Authentication, those credentials are not stored on your device, and instead are stored in a remote server. Pretty much: your laptop doesn’t keep the password anymore; Big Microsoft is in charge instead. Modern Authentication also takes your behavior and location into account: Joe Schmoe who lives in Arkansas probably didn’t log in to his email in Argentina. Modern Authentication keeps your information safe—it is a no-brainer switch if you aren’t there already.

If you still log in to applications using a device-based login system instead of a web-based login system, you need to update. Beginning October 1, 2022, Microsoft will begin disabling Basic Authentication for its users. This is not the deadline for everyone, as Microsoft is processing users in batches. However, you could be selected anytime after October 1, and after you are given notice, that is your deadline. You cannot cut the line, or ask that your turn is further down the line.

Once a tenant is selected, Microsoft will send a seven-day warning via a Message Center Post and Service Health Dashboard notices. After those seven days, Basic Auth is turned off for that tenant.

If you are a VIPsupport client for SpireTech, we’ll help you through it. If you need help with making the switch or other IT services, SpireTech provides the best IT support in Portland. We work hard to make sure that our clients are happy and satisfied, and that changes in the technical side don’t affect your business.

Take some deep breaths and know that the switch from Basic Auth to Modern Auth isn’t as scary as it sounds. It’s just progress.

Read More:

Deprecation of Basic authentication in Exchange Online | Microsoft Docs

Basic Authentication Deprecation in Exchange Online – May 2022 Update – Microsoft Tech Community

Basic Authentication and Exchange Online – September 2021 Update – Microsoft Tech Community

Basic Authentication and Exchange Online – September 2021 Update – Microsoft Tech Community

Identify Basic Authentication (