Security News > 2022 > September > Microsoft will disable Exchange Online basic auth next month
Microsoft warned customers today that it will finally disable basic authentication in random tenants worldwide to improve Exchange Online security starting October 1, 2022.
"Since our first announcement nearly three years ago, we've seen millions of users move away from basic auth, and we've disabled it in millions of tenants to proactively protect them. We're not done yet though, and unfortunately usage isn't yet at zero. Despite that, we will start to turn off basic auth for several protocols for tenants not previously disabled," the Exchange Team said today.
"Starting October 1st, we will start to randomly select tenants and disable basic authentication access for MAPI, RPC, Offline Address Book, Exchange Web Services, POP, IMAP, Exchange ActiveSync, and Remote PowerShell."
The protocols "Will be disabled for basic auth use permanently" during the first week of January 2023, with no way of using basic auth again.
Until now, Microsoft says it has already disabled basic auth in millions of tenants that weren't using it and is also toggling off unused protocols within tenants still using it to protect them from attacks exploiting this insecure auth scheme.
You can find more info on preparing for October's forced basic authentication deprecation and the best way to disable basic auth beforehand in the blog post The Exchange Team published today.
News URL
Related news
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft will limit Exchange Online bulk emails to fight spam (source)
- Microsoft fixes Outlook clients not syncing over Exchange ActiveSync (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack (source)
- Microsoft releases Exchange hotfixes for security update issues (source)