Preparation for the end of basic authentication in Exchange Web Services

Prepare your applications and users for major changes on October 13, 2020.

Microsoft wants to kill the password using FIDO2 security for better authentication
Andrew Conway, general manager for Microsoft 365 Security, discusses how theft of login data can be prevented by relying on biometric security.

It takes less than a year for Microsoft to disable Basic Authentication for its Exchange Web Services (EWS). While new apps such as Office 365 Pro Plus use modern authentication techniques, it is an update that, if you use Office 365 with older clients or custom applications, must make changes to the applications that you use and may rewrite your custom code.

On October 13, 2020, older applications cannot connect to Office 365 and the individual Exchange Online service. Other Office services also stop accepting connections from older apps on the same date, although that is not due to changes in the service, but because regular support for those versions is being terminated.

Users with Office 365 plans have already been upgraded to supported versions, so it is only users with their own code or with older perpetual licensed versions of Office that lose access to the cloud. If you still use local Office servers, such as Exchange, you will not lose access because the new authentication rules apply only to cloud-hosted Office services.

Gradually abolish basic verification

To be honest, phasing out basic authentication is a wise decision. One of the older web authentication protocols, it uses cleartext usernames and passwords to control access to services. Even with TLS to encrypt the underlying connection, it is still a risky way to manage access to potentially commercially sensitive data. It is not only the possibility of password interception that makes Basic Authentication a significant risk: Microsoft has seen a burst of password spray attacks on Office 365 that demonstrate how easy it is for bad actors to take advantage of old security models.

If you use a recent version of Office, on Windows or on mobile devices, you will not notice a definitive shutdown. Your application already uses what Microsoft calls “modern authentication,” using the OAuth 2.0 protocol. Administrators may need to update every PowerShell they use to the Exchange Online PowerShell V2 module, as it uses modern authentication protocols. Microsoft also adds OAuth support to IMAP and POP3, so if you prefer to use these protocols, you can upgrade email clients to versions that support OAuth instead of Basic Authentication.

What is the risk?

Where things become more complex is with custom applications written to work with the EWS APIs. Exchange Web Services is used with Exchange Online and although it is currently operational, it has only had security updates since July 2018. It is a SOAP API that provides access to Exchange data, allowing you to open and send messages, work with calendars, and use the address books. Microsoft has moved its own services and APIs to the Microsoft Graph, a more powerful set of tools that provides access to more than Exchange data, which can be used to build cross-platform apps with commonly available APIs.
If you have custom code, you must now move it to the Microsoft Graph. There are SDKs for the most common platforms and development frameworks, including .NET. With this you should be able to adjust the existing code without too much effort, because the methods used to call the Graph are the same as those used with EWS. You also get the benefit of authentication via OAuth 2.0, with support for more secure authentication tools, including multifactor. Existing EWS code will still work if you switch to using OAuth 2.0, but it is not recommended because new functions are only supplied with the Microsoft Graph.

The SMTP Auth Clients report in the Mail flow dashboard of the Office 365 Security & Compliance Center allows you to detect compromised accounts due to the use of older – less secure – protocols.

Image: Microsoft

Find applications that need to be updated

With less than a year to update your applications, it is important to find out which apps use Basic Authentication in your network. Microsoft has promised a tool to simplify the process, but it is not yet available, so you will need to use the tooling built into Office 365 and Azure Active Directory until it is released.

A useful tool to ensure that your users do not use older, less secure clients with your Office 365 infrastructure is the Office 365 Security and Compliance tooling. Here you will find the Mailflow dashboard. This includes a panel that shows users who use SMTP authentication to send e-mail, and you can click to get details about what is being used. These are probably compromised accounts or apps that are built to use basic authentication. You can see the apps that users have used so that you can compile a list of what needs to be replaced or updated.

SEE: Windows 10: a cheat sheet (TechRepublic)

However, that only shows one set of applications and others may use basic authentication to log in to all other Office 365 services. Here you can use your Office 365 Azure Active Directory to get a list of all applications that users use to log in to your tenant. It’s a handy list to get, because it helps you keep control over the apps used on your network.

Although the free Azure AD account that comes with Office 365 subscriptions can provide you with the information you need, more complex user logon reports and the applications that are used most often require a separate P1 or P2 Azure AD subscription . This also allows you to use PowerShell to gain deeper access to the data you see in the portal, add your own filters, and use tools such as Excel to build custom reports in API and application usage.

Conditional access policy is maintained after the authentication of the first factor is completed.

Image: Microsoft

With an Azure AD subscription, you can also use tools such as Conditional Access policies to manage the applications that have access to your tenant. Once you’ve identified an app that uses basic authentication, you can block it from EWS and other services to see if this app is important enough for users to complain about. If you don’t want to use more than the free Azure AD tools that came with Office 365, you can use PowerShell to disable basic authentication for your tenants and wait to see which apps don’t work.

The switch from Microsoft to a more secure authentication model for EWS makes sense, given the security risks associated with basic authentication. By switching to the OAuth 2.0 token-based security model, you can restrict access to specific applications because tokens are associated with the application that requires it. The use of basic verification in the current threat landscape is at best risky and in the worst case an invitation to cyber attack. With a threatening deadline, moving to modern authentication as quickly as possible is not just a good idea to keep users happy, it is one that reduces risk and makes your systems more secure.

Weekly newsletter from Microsoft

Be Microsoft’s insider for your business with the help of these Windows and Office tutorials and the analyzes of our experts on Microsoft business products.
Delivered on Monday and Wednesday

Register today

Also see

Section 230: Senators grandstand during hearing with Huge Tech bosses

What happened: Less than a week before the US presidential elections, the CEOs of Facebook, Google, and Twitter appeared before the Senate Committee on Commerce, Science, and Transportation.The four-hour hearing was meant to focus on Section 230, the regulation that has shielded internet companies from liability for user content. Most questions, however, had little to…

In a first, researchers draw out secret essential utilized to encrypt Intel CPU code

SECRET NO MORE — Hackers can now reverse engineer updates or write their own custom firmware. Dan Goodin - Oct 28, 2020 8:20 pm UTC Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and,…

How a tiny bit of lacquer grounded brand name-new Falcon 9 rockets for a month

Sweating the details — "Rocketry is tough and requires a lot of attention to detail." Eric Berger - Oct 28, 2020 9:55 pm UTC Enlarge / Nine Merlin engines power the first stage of a Falcon 9 rocket. NASA and SpaceX confirmed on Wednesday that they are targeting November 14 for the launch of the…

Leave a Reply