End-of-Life Basic Authentication: What You Need to Know

Microsoft will permanently disable Basic Authentication on all Microsoft 365 tenants, with the exception of SMTP Auth, as of October 1st of this year. Basic authentication is a rarely used authentication technique that has greater security risks than its current use cases.

How does basic authentication work? 

To put it simply, it is a legacy authentication system that is required for app and service login. The major flaw is that basic authentication lacks security because it does not enable two-factor authentication. Thus making it considerably more vulnerable to stolen passwords. 

One of the best things you can do to improve the security of your company is to disable basic authentication. The Security Defaults feature, which by default disables basic authentication out of the box, is activated for tenants who have been set up within the last year or so.

How can I tell whether I'm utilising it? 

If you have recently set up your Microsoft 365 and did not make changes to any security options, or if multi-factor authentication (MFA) has been implemented throughout your organisation, then basic authentication being turned off is probably not going to be a problem for you.

Even if you don't use MFA, modern apps and services by default employ more sophisticated and secure protocols like Modern Authentication. In reality, it is likely that this change will not have a significant effect unless you configure or rely on basic authentication for devices or services. 

Pro Tip: To check if you employ basic authentication, go to the sign-in logs in Azure and look for any sign-ins that uses basic (Legacy) authentication.

Basic Authentication will gradually be turned off in tenants that are not using it by Microsoft as October approaches. Administrators should have received an email from Microsoft alerting them of its usage and letting them know whether it will be turned off before October. 

What if Basic Authentication is required? 

Although it's unclear that Microsoft will permit any extensions to maintain basic authentication after October, if it was unexpectedly turned off in your tenant and you still require it, you can choose to opt out and turn it back on. Microsoft provided instructions on how to accomplish this in an update that explained the rationale behind the move, as well as a FAQ for frequently asked questions. 

What Next? 

It is important to note that not everyone will immediately experience the switch-off on the 1st of October.

Tenants will be chosen at random and given a seven-day notice of the move, but the entire procedure is anticipated to be finished by the end of 2022. 

It's crucial to be ready by October 1st because you cannot request that your tenant be moved back due to the randomised selection.