Microsoft is in the process of deprecating basic authentication to its cloud services. While their announcements feel far away, I feel this is the best time to act, if you were one of the earlier adopters of Office 365 and Azure Active Directory.
What Microsoft is saying
Microsoft is communicating clearly on the upcoming changes in regards to Basic Authentication:
- Last year, Microsoft decommissioned Basic Authentication on Outlook REST API v1.0.
- Microsoft announced that it will stop supporting Basic Authentication-based connections to Exchange Web Services (EWS) to access Exchange Online on October 13th, 2020.
- Microsoft announced that it will stop supporting and retire Basic Authentication for Exchange Active Sync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and Remote PowerShell (RPS) in Exchange Online on October 13th, 2020.
- Office 2010 Professional Plus reaches end of support on October 13, 2020. This version of the Office suite features the last version of Outlook that doesn’t support Modern Authentication.
These announcements do not affect SMTP AUTH and Microsoft continues to support Basic Authentication for it in Exchange Online.
… But, these changes feel far away.
The timelines above stem from the support lifecycles, service level agreements Microsoft offers and the corporate responsibility guidelines that Microsoft follows.
Politically, I’ve used this trick a couple of times at customers to reduce resistance to less popular changes, just to get a ‘go’. “We’ll cross that bridge when we get there”-people are onboarded more easily that way, is my experience.
Yes, but please act now
However, these changes do not mean that as an organization you can just lean back. Several situations might create some urgency. If you are a large enterprise that runs Office 2010 Professional Plus throughout your organization, then upgrading to a more recent version of Office should be high on your priority list.
Wouldn’t it be sad if you had to touch people’s Outlook profiles twice within the next six months? Because, that’s the direction I think a lot of early adopters of Office 365 are heading.
My tip for today is to check your tenant’s Modern Authentication settings, before migrating from Office 2010 Professional Plus, or Office 2013 Professional Plus installations without the specific registry settings.
There’s two good reasons for it:
For tenants created before August 1, 2017, modern authentication is turned off, by default.
Now, many of the Microsoft pages I link to above, feature PowerShell scripts to change that behavior, but it’s actually an option box in the Microsoft 365 admin portal, these days.
The second reason has a bit more background, and I recommend reading up. Alex Weinert, Director of Identity Security at Microsoft, regularly shares and confirms many alarming facts on Basic Authentication and Modern Authentication:
- SMTP, IMAP, and POP are the top 3 protocols used to compromise Microsoft 365 accounts
- Using Modern Authentication and Multi-Factor Authentication (MFA) blocks 99.9% of account hacks.
It is time to get on this band wagon.
How to enable Modern Authentication
Perform these actions in a web browser:
- Navigate to https://admin.microsoft.com/.
- Sign on with an account in your tenant that has the Global administrator role assigned to it.
Perform multi-factor authentication when prompted. Elevate through Azure AD Privileged Identity Management (PIM) if you need to.
- In the left navigation bar, click Settings.
The Settings menu unfolds beneath it.
- Click Settings in the Settings menu.
- In the main pane, click Modern Authentication.
- In the Modern Authentication blade that appears check the Enable Modern authentication option.
- Click Save changes at the bottom of the blade.
- Close the Modern Authentication blade by clicking on the X in the top right corner of the blade.
- Sign out by clicking the icon for your account in the top right corner of the Microsoft 365 admin center and clicking the Sign out link.
I recommend organizations to enable the Modern Authentication features in their tenants before onboarding people to versions of Outlook that support Modern Authentication. This way, when a person gets the new version of Outlook, modern authentication is enabled and used, by default.
If modern authentication is not available at this time, the Outlook profile for the person needs to be reset around October 13th, 2020, to switch to modern authentication…
That would be a shame, if you ask me.