Businesses that use Microsoft 365 (or Office 365) need to mark October 1st, 2022 on their calendars.  This is the official deadline for Microsoft’s “Deprecation of Basic authentication in Exchange Online”.   While every business should have been taking incremental steps to readiness for this moment, many will be caught off-guard by the change.   We have been working with our clients for the past two years nudging them along, but there is no doubt that many have resisted change and this will have impacts.

Last Chance.

For the companies that have not yet made the necessary transition, the outcome will be clear: impairment of services is guaranteed.  Once an organized and proactive effort is ignored to manage a known risk, then the occurrence of this risk is a security incident. Security incidents are costly.  More importantly, with many organizations on the same trajectory, there is a predictable strain on resources coming, and that will affect priority and the ability to return to normal.  The solution is simple: manage this problem now and prioritize it in terms of commitment, training, resources, and budget.  More importantly, today’s cybersecurity culture is demanding that a company mitigate its risks as to minimize the impacts on customers and vendors. October 1st will affect both.

First.. let’s assess the what’s at stake.

For a business with 5 to 30 employees, we estimate that an endeavor, when planned, takes 52 hours to complete based on internal data and understanding of the process, and complexities that come with it.  That’s about $12,000 spread out over 18 months, as the typical case is for many of our clients.  Roughly, $700 each month to modernize a Microsoft 365 tenant with

  • Tenant configuration.
  • Microsoft Azure Active Directory with Conditional Access, Modern MFA, etc.
  • Microsoft Intone (Endpoint Manager)  that establishes MDM for the organization.
  • Microsoft Defender because it’s part of a proactive effort to manage cybersecurity risk.
  • Risk assessment of peripheral systems which may be affected by the change.
  • User support to get everyone there.

However, that’s not the big cost.  Planning means that there is minimal user impact, and this means that there is little productivity loss – if any – during incremental improvements.  The same businesses will pay $18,000 in priority security incident handling, receive a smaller subset of services, and the rush will be part of downtime as systems will be impaired.  The lack of an organized and methodical effort to manage this known risk results in countless hours lost in productivity.

The costs are higher because incidents are costly to everyone involved: the organization affected and the vendor providing response.  Mainly, this is because this circumstance is a multi-disciplinary effort and requires multiple skillsets and an array of resources to solve.  When spread over time, process efficiency and scale keep costs low, but when it’s all at once everyone is on deck until he issue is solved.

Second.. let’s assess the situation.

To start,  we thought it would be helpful to chunk organizations into three buckets: well prepared, somewhat prepared, and ill-prepared. We then picked out a few things that you should recognize and be able to use as a compass for putting your organization in one of the three categories.

Low Risk, No Expected issues.

  • Has an active Cybersecurity Management program in place.
  • Switched to Microsoft E3/E5 or Microsoft Business Premium subscriptions in the last 24 months.
  • Has secured the Microsoft 365 account to match current recommendations.
  • Has a Bring Your Own Device or a company device policy established and requires employees to use Microsoft Authenticator for MFA.
  • Users are actively used to using Microsoft Authenticator to re-authenticate their Outlook.
  • Has switched from native Mail apps on iOS/Android to Outlook for Mobile.
  • Modernized e-mail configurations on scanners, or does not use them.
  • Has had a website e-mail routing evaluated.
  • Users can easily delete and add back accounts to their devices if needed (they know the settings, know their credentials, and know how to use Authenticator)
  • Has MDM in place.

Medium Risk, will have some Mobile Devices, Scanners, and Apps break before October 1st.

  • Has ad-hock information security or IT services and allocated resources to this effort.
  • Switched to Microsoft E3/E5 or Microsoft Business Premium subscriptions in the last 24 months.
  • MFA is in use, and a push to use Microsoft Authenticator was made.
  • Mix of iOS/Android native Mail/Calendar apps and Outlook for Mobile
  • Users can easily delete and add back accounts to their devices if needed (they know the settings, know their credentials, and know how to use Authenticator)
  • Has completed a risk assessment for this purpose.

High Risk, will have issues that require urgent treatment.

  • Has ad-hock information security or IT services and allocated resources to this effort.
  • Uses Office 365 plans or a mix of services.
  • Text based (SMS) MFA is the only thing in use.
  • Still uses native Mail apps on iOS.
  • Users need support to remove and add back accounts to their devices if needed.

Third.. let’s break down the October 1st problem.

Most importantly, the deadline is October 1st, but the change has been in the works since 2021.  Microsoft “started to disable Basic authentication for existing tenants with no reported usage.”  The change is called Deprecation and it means they are removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device.  Basic authentication is an outdated industry standard.

Basic Authentication is a component of a more complicated machine within Microsoft 365, and we feel the documentation presented by Microsoft fails to properly describe the relationships between services, authentication types, and ultimately the impacts on users.  Instead,  we put together our own Crash Course to Basic Authentication Deprecation. The reason this exists is to educate leaders in our client organizations on the complexity of all this, and to help them make a case to allocate resources, time, and process to improvement efforts.

Crash Course to Basic Authentication Deprecation.

  1. Basic Auth is being turned off at the tenant level.  First problem surfaces if an M365 tenant was still using Basic Auth, the moment the switch is flipped stuff will break.
  2. Modern Auth was our standard for a long time.  It is also enforced on all new tenants.
  3. Basic Auth lets you use an App Specific Password to bypass MFA… so if you enable MFA on your account you can use App Specific Pass to sync.
    1. This means you must be working with Legacy MFA because it all changes with Modern MFA.
    2. Independent of authentication, Services such as Outlook Web Access, IMAP, POP3, Exchange Active Sync, Outlook Desktop, etc can be configured and controlled for access at the tenant, group, and user levels.  With Microsoft’s move to Zero Trust, having full authority over all the various layers is critical and falls under a discipline called Change Management.   This requires infrequent but well-developed oversight.
  4. Mobile Devices and Apps that involve the switch may not be affected or affected in various stages depending on configuration:
      1. Immediately.
      2. Minutes to 48 hours from the change due to propagation
      3. When a user makes a change to their M365 account
      4. When a user makes a change to their device
      5. When a re-auth policy kicks in
      6. When the user swaps devices
  5. Block Basic Auth, stops some EAS devices (and other things possibly).
    1. Some because you could have ones using modern auth through some measure.
  6. Modern Authentication account may use Legacy MFA as far as we can tell, but it’s sort of moot as it goes away with process.
  7. Legacy MFA is identified by SMS codes, but that is not totally true.  Microsoft added Modern SMS Preview to the mix this year which opens more opportunity for confusion. We assume that SMS means Legacy MFA for sake of operations.
  8. Mobile devices for Mail Calendar and Contacts use a variety of authentication modes including:
    1. Basic Auth User and Password without MFA support
    2. Basic Auth User and App Specific Password
    3. Modern Auth (OAUTH 2.0) Sign In with MFA support
    4. Certificate Authentication
  9. Mobile Devices may be configured by the individual user, or may also be configured via Mobile Device Management. MDM enables the continued use of older things for an extended period of time as it offers some degree of control.  It is used to expedite and sometimes as a crutch to preserve old ways of things.
  10. A Mobile iOS Device in any of these conditions will likely be affected by a swaps that involve the following three cases and require deletion/addition of the EAS Account.
    1. Basic to Modern Auth change on the tenant
    2. Legacy MFA to Modern MFA Auth change on the account
    3. Modern Auth with Legacy MFA to Modern MFA change
  11. Sign-In logs group by Legacy Authentication Client string when looking at Client Apps, which infers Basic Auth but leaves the door open for other things. This is used as a precursor to designing a Conditional Access policy.
  12. Conditional Access is used to block EAS or Other all grouped under Legacy Authentication Clients which is very confusing lingo.  This should be established soon to block Basic Auth.
  13. Modern Auth offers an OATH 2.0 sign-in for Mail on iOS (and really any other modern mail app) thus continued use of ExchangeActiveSync (EAS) is possible.
  14. Block Legacy Authentication Clients in Azure means setting up a Conditional Access policy (actually two policies) that controls usage of Basic Auth / Legacy Auth.  It does not stop the Services.
  15. A modern device, with all updates, that has a Microsoft 365 account deleted and added back in and authenticates using OATH 2.0 will continue to work on EAS as long as all conditions above have been satisfied and the tenant is configured properly for this scenario.  This means tenant authentication, users are moved to Modern MFA, services are configured for their respective use, etc etc etc.
  16. Finally, this is not just about EAS.  This change is designed to affect IMAP, SMTP, POP and other protocols. This means that you will need to oversee, manage, and address configurations in a variety of scenarios that are likely to cause major pain points but go unnoticed as users affected by this will create enough noise to mask over issues found in:
    1. Websites using your mailboxes to send mail
    2. Scanners/Copiers using Scan to Email functionality
    3. Transactional email systems
    4. Lead generation and prospecting tools
    5. CRM

Summary?

An organized and proactive effort to manage cybersecurity risk will undeniably include optimizing and modernizing Microsoft 365 and bring an organization to systemic compliance naturally. Failure to do so will result in service impairment and an urgent remediation which is costly in both services and in productivity.