On the 17th October 2018 Microsoft announced that they were finally releasing the disablement of the basic authentication for Exchange Online users. This was also announced in the Office 365 Roadmap which can be found here. As is commonly known basic authentication only requests users to enter their username/passwords, disabling this feature can provide extra security against brute force attacks. Once disabled all users will be forced to use modern authentication such as MFA. As this feature isn’t perfected yet Microsoft have identified three points they would like to warn users about, these points are:
- There is a lack of clarity of how many users are still using basic auth and once a block is enabled how much and how well the block is working.
- The policy change can take up to 24 hours to apply, therefore if you were receiving a brute force attack and wanted to quickly get the feature to your users you would have to use the commandline for each user in order to force the policy to apply instantly.
- This feature will not work if users aren’t also replicated into Azure AD.
The reason why this feature has been held back is that Microsoft had concerns that tenant admins could misconfigure something which would leave the company not properly protected and vulnerable. However now Microsoft have decided that due to the increase in recent cyber attacks they’d rather get the feature rolled out to everyone and make sure they read this guide before disabling basic authentication fully.