As of October 1st of this year, Microsoft will be permanently switching off Basic Authentication on all Microsoft 365 tenants, with the exception of SMTP Auth. Basic Auth is a rarely used method of authentication that poses more security risks than use cases in the present day.
What is Basic Authentication?
To put it simply, it’s an old authentication protocol used when signing into apps and services. Its biggest pitfall is its lack of security as it doesn’t support multi-factor authentication, meaning compromised credentials or brute force attacks pose a much greater risk. Disabling Basic Auth is one of the best things you can do to enhance the security of your organisation. Tenants set up within the last year or so will have Security Defaults enabled by default, which has Basic Authentication blocked out of the box.
How do I know if I'm using it?
If you set up your Microsoft 365 tenant recently and didn’t play with any of the security settings, or if multi-factor authentication has been rolled out across your organisation, then Basic Authentication being switched off most likely will not cause you an issue. Nowadays, apps and services use more advanced and secure protocols such as Modern Authentication by default, even if you don’t use MFA. In fact, chances are that unless you explicitly set up or rely on Basic Authentication for devices or services, this change shouldn’t make a noticeable impact.
For a more granular look at whether you use Basic Authentication, you can check the sign-in logs in Azure and look for any sign-ins which use Basic (Legacy) Auth. As we draw closer to October, Microsoft will begin slowly switching off Basic Authentication in tenants that aren’t using it, and Admins should receive an email from Microsoft, if they haven’t already, informing them of its usage and as to whether it will be switched off prior to October.
What if I need Basic Authentication?
It’s unlikely Microsoft will allow any extensions to keep Basic Auth enabled after October, however if it has been prematurely disabled in your tenant and you still need it, you can choose to opt out and re-enable it. In an update explaining the background behind this change, Microsoft included instructions as to how you can do this, as well as an FAQ for common questions.
What's next?
The switch-off won't be immediate for everyone on October 1st. Tenant's will be randomly selected and provided with a 7 day warning of the switch, however the whole process is expected to be completed by the end of 2022. Please note that because of the randomised selection, you cannot request your tenant to be moved back, so it's important to be prepared by October 1st.