A little over a year from now, Microsoft will begin to permanently disable Basic Authentication for Exchange Online. This will be in ALL Microsoft 365 tenants, except for SMTP Authentication. I can hear the grumbles now, but let’s talk about why Microsoft is pushing this.
Legacy authentication cannot take advantage of a myriad of security features, of which MFA is arguably the most important. If you don’t have MFA, you’re vulnerable to compromise. According to Microsoft’s Alex Weinert’s blog post last year:
The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:
- More than 99 percent of password spray attacks use legacy authentication protocols
- More than 97 percent of credential stuffing attacks use legacy authentication
- Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled
So what does this mean for you? What should you do?
First off, legacy mail applications (legacy Apple Mail, Gmail, or third-party email clients) will stop working! The easiest fix is to replace these applications with the official Outlook app, so that you can guarantee you’re using the most secure login methods.
Any custom software or devices using basic authentication will stop working. You will need to switch to authenticated Simple Mail Transfer Protocol (SMTP). Enable SMTP Authentication for any necessary mailboxes. Follow Microsoft’s guide or drop us a line and we can help.
You should proactively start checking your Azure AD sign-in logs and see who in your organization is still using Basic Authentication. Enable Modern Authentication (if you’re not using it yet!) and work with users to roll out MFA.