Getting ready for the end of Basic Authentication in Exchange Web Services

Prepare your applications and users for big changes on 13 October 2020.

Microsoft wants to kill the password using FIDO2 security for better authentication Andrew Conway, general manager for Microsoft 365 Security, discusses how to prevent credential theft by relying on biometric security.

It's less than a year until Microsoft turns off Basic Authentication for its Exchange Web Services (EWS). While new apps like Office 365 Pro Plus use modern authentication techniques, if you're using Office 365 with older clients or custom applications, it's an update that will require changes to what applications you use and possibly rewriting your custom code.

On 13 October 2020, older applications will fail to connect to Office 365 and the separate Exchange Online service. Other Office services will also stop accepting connections from older apps on the same date, although that's not due to changes in the service but to end mainstream support for those versions.

Users with Office 365 subscriptions have already been updated to supported versions, so it's only users with home-grown code or with older perpetual licensed versions of Office who will lose access to the cloud. If you're still using on-premise Office servers, like Exchange, you won't lose access as the new authentication rules only apply to cloud-hosted Office services.

Phasing out Basic Authentication

Phasing out Basic Authentication is, to be honest, a sensible decision. One of the older web authentication protocols, it uses cleartext usernames and passwords to control access to services. Even with TLS to encrypt the underlying connection, it's still a risky way of controlling access to what can be commercially sensitive data. It's not only the possibility of password interception that makes Basic Authentication a significant risk: Microsoft has seen a rash of password spray attacks on Office 365 that show how easy it is for bad actors to take advantage of old security models.

If you're using a recent version of Office, on Windows or on mobile devices, you won't notice the final switch-off. Your application is already using what Microsoft calls 'modern authentication', using the OAuth 2.0 protocol. Administrators may need to update any PowerShell they're using to the V2 Module of Exchange Online PowerShell, as it uses modern authentication protocols. Microsoft will also be adding OAuth support to IMAP and POP3, so if you prefer to use these protocols you can update mail clients to versions that support OAuth rather than Basic Authentication.

What's at risk?

Where things get more complex is with custom applications that have been written to work with the EWS APIs. Exchange Web Services is used with Exchange Online and while it's currently operational, it has only had security updates since July 2018. It's a SOAP API that gives access to Exchange data, so you can access and send messages, work with calendars, and use address books. Microsoft has been moving its own services and APIs to the Microsoft Graph, a more powerful set of tools that provides access to more than Exchange data, which can be used to build cross-platform apps with widely available APIs.

If you've got custom code, you should be moving it to the Microsoft Graph now. There are SDKs for most common platforms and development frameworks, including .NET. These should allow you to modify existing code without too much difficulty, as the methods used to call the Graph are like those you've used with EWS. You also get the benefit of authenticating via OAuth 2.0, with support for more secure authentication tools including multifactor. Existing EWS code will still work, if you change to using OAuth 2.0, but it's not recommended as new features only ship with the Microsoft Graph.

microsoft-mail-flow-dashboard.jpg

The SMTP Auth Clients report in the Office 365 Security & Compliance Center's Mail flow dashboard allows you to detect potentially compromised accounts due to the use of legacy -- less secure -- protocols.

Image: Microsoft

Finding applications that need updating

With less than a year to update your applications, it's going to be important to find out what apps are using Basic Authentication in your network. Microsoft has promised a tool to simplify the process, but it's not yet available, so you're going to have to use the tooling built into Office 365 and Azure Active Directory until it's released.

A useful tool for ensuring that your users aren't using older, less secure, clients with your Office 365 infrastructure is the Office 365 Security and Compliance tooling. In here you find the Mail flow dashboard. This includes a pane that shows users using SMTP authentication to send mail, and you can click in to get details of what's being used. These are likely to be either compromised accounts or apps built to use Basic Authentication. You can see the apps that users have used, allowing you to build a list of what needs to be replaced or updated.

SEE: Windows 10: A cheat sheet (TechRepublic)

However, that only shows one set of applications, and others might be using Basic Authentication to sign in across all the other Office 365 services. Here you can use your Office 365 Azure Active Directory to get a list of all the applications that users are using to sign into your tenant. It's a useful list to get anyway, as it helps you keep control of the apps that are in use in your network.

While the free Azure AD account that comes with Office 365 subscriptions can give you some of the information you need, more complex reports about user sign-ins and the applications that get the most use need a separate P1 or P2 Azure AD subscription. That will also allow you to use PowerShell to get deeper access to the data that you see in the portal, adding your own filters and using tools like Excel to build custom reports into API and application usage.

microsoft-conditional-access.jpg

Conditional Access policies are enforced after the first-factor authentication has been completed.

Image: Microsoft

An Azure AD subscription also allows you to use tools like Conditional Access policies to manage the applications that access your tenant. Once you've identified an app that uses Basic Authentication, you can block it from EWS and other services to see if it's one that's important enough for users to complain about. Alternatively, if you don't want to use more than the free Azure AD tools bundled with Office 365, you can use PowerShell to turn off Basic Authentication across your tenants and wait to see which apps fail to operate.

Microsoft's shift to a more secure authentication model for EWS makes sense, considering the security risks associated with Basic Authentication. By switching to OAuth 2.0's token-based security model you can restrict access to specific applications, as tokens are tied to the application that requests them. Using Basic Authentication, in today's threat landscape, is at best risky and at worst an invitation to cyberattack. With a deadline looming, moving to modern authentication as quickly as possible isn't only a good idea for keeping users happy, it's one that'll reduce risk and make your systems more secure.

Also see