In order to address security concerns, such as password spray attacks, Microsoft has announced it will end Basic Authentication support on Oct. 13, 2020 for certain protocols. From a risk assessment perspective, the services slated to be blocked as of March 2020 are ActiveSync, POP, IMAP, EWS, and Remote PowerShell.
If you have not already addressed these security issues, you should shift your Office 365 protocols to “Modern Authentication,” which enables Active Directory Authentication Library (ADAL)-based sign-in for Office client applications and supports features such as multi-factor authentication.
From an Outlook perspective, these are the versions that support ADAL:
- Outlook 2016
- Modern Authentication support? Yes
- Requires EnableADAL reg key? No
- Outlook 2013
- Modern Authentication support? Yes
- Requires EnableADAL reg key? Yes
- Outlook 2010
- Modern Authentication support? No
- Requires EnableADAL reg key? Not applicable
This shift in timelines will be a pain point for organizations using Outlook 2010 because there is no patch or upgrade available to make it compatible with Modern Authentication. Because Outlook 2010 users and legacy Mac clients rely on Exchange Web Services (EWS), your team needs to prioritize updating them before the October deadline.
Another thing to note is that for instances created before August 1, 2017, Modern Authentication is turned off by default for Exchange Online and Skype for Business Online. If your instance is one of these, it should be enabled prior to transitioning the account. For Exchange Online, this can be performed by executing:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto (to confirm the changes)
For Outlook 2013, Modern Authentication is not turned on by default.
- Modern Authentication can be set by using certain registry subkeys. First set the DWORD value to 1, then use the following keys:
- HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
- HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version
For those looking to Azure AD to report on clients still using Basic Authentication, you can navigate to the Azure AD Admin center, choose “Sign-Ins,” and add the “Column for Client” application. The application will allow you to filter based on “Other clients.”
To see the full sign-in activity report, your instance must have an Azure AD Premium license associated with it. After you upgrade to a Premium license, it takes a few days for the data to show up in the reports, with no reporting on data activities before the upgrade. Some companies may consider a short-term investment in Azure AD as a vehicle to properly report and determine the logistics of getting compliant.
In summary, for the sake of security, Microsoft is adjusting its time frame for ending support for Basic Authentication, which means the Office 365 customers must prepare for Modern Authentication if they have not done so already. This change includes Outlook clients using mobile devices. Realistically, this preparation will require inventory and perhaps licensing of Azure AD to properly determine where your company sits.
For further questions and information on how to address these authentication considerations, you can always reach out to our team. We will be happy to provide a thorough risk assessment of your instances.
Comments