It’s Time for Microsoft Basic Authentication to Go—and Here’s Why

Microsoft is turning off Basic Authentication in Microsoft tenants on October 1.Here’s what you need to know.

Basic or Legacy Authentication in Exchange Online is the common point for an attacker trying to break into Microsoft tenants. Attackers will use Brute Force or Password Spray attacks to “guess” your users passwords. Once they get in, the real damage begins.  

Many will say that they are using Conditional Access Polices and Multi-Factor Authentication to block these attacks—and those can be effective. The problem is that those policies only come in to play once the attacker has successfully compromised the password. The attacker can then use the credentials in areas other than email. The goal here? Stop the attacker before that happens.

To help with this, Microsoft is turning off Basic Authentication in Microsoft tenants on October 1, 2022. When that happens, no connections using Basic Authentication will be successful.  

How to prepare for the end of Basic Authentication

To prepare, businesses must identify existing client logons using Basic Authentication clients and update them to clients that use Modern Authentication. You can do this by monitoring the sign-in logs in Azure Active Directory for any Client Apps that use Basic Authentication.

The best thing businesses can do right now is to eliminate Basic Authentication using Authentication Policies. This allows you to block Basic Authentication for various services while giving you a chance to find and fix any clients that are still using Basic Authentication. These policies can be applied to some or all users.

Why are these steps important?

Completing these basic steps will help you avoid getting caught with a broken application, or with users that can’t log in when Microsoft turns off Basic Authentication.   Plus, if you are using the Risky User or Risky Sign-in conditions for your Conditional Access polices, the noise generated by these brute force attacks will produce false positives for your users. Once Basic Authentication is blocked, these attempts are no longer logged in Azure AD as they never get that far.

Here are four steps you should take today

1) Ensure your users are using clients that support Modern Authentication:

  • Outlook 2016 for Mac or higher
  • Outlook 2013 and higher
  • Outlook on iOS and Android
  • Mail app for iOS 11.3.1 or higher

2) Monitor the Azure AD Sign-in logs

Do this for client apps that use basic authentication, and in particular, successful logins. User clients are easier to remedy. It’s applications and devices that typically require more effort.

3) Create Authentication Polices

These new policies should block Legacy Authentication, and should apply to all users if possible. Create specific policies for exemptions.

4) If appropriate, consider adding Risky User and/or Risky Sign-in conditions to your Conditional Access Policies.

For questions or assistance preparing for the end of Basic Authentication, reach out to your IX Solutions account executive or contact our team at  

Get Help with These Changes< Back to all posts