In short, no more Basic Authentication for following protocols to access Exchange Online. 

• EWS (Exchange Web Services) 
• EAS (Exchange ActiveSync) 
• IMAP4 
• POP3 
• RPS (Remote PowerShell) 

This blog will help you to understand what is Basic Authentication, Basic Authentication vs Modern Authentication, how the Basic Auth deprecation will affect the organization, etc. Mainly, it focuses on the following things.

1. Basic Auth deprecation – How to prepare for this change
2. Download Office 365 Basic Authentication report

Basic Authentication in Exchange Online:

Microsoft has planned to end Basic Authentication in Exchange Online from Oct 01, 2022. 

Most client apps use Basic Authentication to connect to servers, services, and endpoints as it is simple to set up. Basic Authentication in Exchange Online sends username and password with every client access request.  

The trouble with Basic Authentication is that it easily compromise through brute force or password spray attacks. To protect our environment from a security threat, we need to move to better a option. 

No more Basic Authentication in Exchange Online – How does this affect me?

From Oct. 01, 2022, client apps that use any of the above mentioned legacy protocols won’t be able to connect to Exchange Online using Basic Authentication. 

Beginning in early 2022, Microsoft will roll out the changes to support basic authentication deprecation. As an effect, Microsoft will select tenants and disable basic auth for all affected protocols except SMTP AUTH for 12-48 hours. During this time, all clients and apps that use basic auth in that tenant will be affected, and they will be unable to connect. Tenant admins can manually re-enable basic auth using the self-service tool. If not, those protocols will be re-enabled automatically after the specific period.

Stay informed with Upcoming Microsoft 365 changes and end-of-support milestones.

Alternative to Basic Authentication – Switch to Modern Authentication:

The best solution is moving to Modern Authentication approach. Modern Authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0 tokens.  

Modern Authentication (which is OAuth 2.0 token-based auth) has many benefits that help to overcome the issues present in Basic Auth. OAuth tokens have limited usable lifetime and are specific to the applications they are issued for. So, they can’t be reused. Exchange Online Modern Authentication ensures a more secure and reliable way than Basic Auth. 

What do I need to do to Prepare for this Change?

There are several actions that you and your users can take to avoid service disruptions on client applications, and we describe them below. 

• You can start updating the client applications your users are using to versions that support OAuth 2.0.  
• If you have written your own code using protocols with Basic Authentication, you will need to update your code to use OAuth 2.0.  
• If you are using 3rd party application, either you need to reach out 3rd party app developer to update the application to support OAuth 2.0 or switch to an application that supports Oauth2.0. 
• RPS: Connect to Exchange Online PowerShell without Basic Authentication – Are you a tenant administrator who spend more time on Remote PowerShell to access Exchange Online? You can use Exchange Online PowerShell V2 Module which supports modern auth.
• Unattended script: To connect Exchange Online with unattended authentication, you can use EXO V2 module (2.0.3 preview or later).
• Exchange ActiveSync: If your organization still using Exchange ActiveSync, you can use Outlook Mobile clients to connect with Exchange Online. 
• IMAP/POP: Microsoft Planning to add OAuth support to both IMAP and POP in a few months. If you want to keep using these protocols, you will need to update the app to one that supports Modern Auth.

Note: 

• This change does not impact SMTP AUTH – Microsoft continues supporting Basic Auth for the time being. April 2024 Update: The exception is no more! Recognizing the critical importance of strengthening security measures, Microsoft announced the deprecation of SMTP auth by September 2025.
• This change doesn’t affect Exchange Server on-premises products.

How to Discover Basic Auth Connections – Office 365 Basic Authentication Report

As a tenant admin, you probably have the question – How do I know who are using Basic Authentication in my tenant? Microsoft has answered your question. Yes, Microsoft has updated Azure AD sign-in report to include lists users and client applications that use basic authentication to connect Exchange Online. 

Export Office 365 Basic Authentication Report: 

The improved Azure sign-in report helps you to get a list of users who uses legacy authentication to connect Exchange Online. Follow the below steps to generate Office 365 legacy authentication report. 

Step1:  Go to Azure Sign-in report in the Microsoft Azure portal. The sign-in report shows sign-in activity in the tenant, date, time, user IP address, login location. 

Step2: Add the ‘Client app’ column to the report (Client app is not displayed by default). The ‘Client app’ column will show you the protocols used by the user to connect Office 365. 

Step3: To view O365 basic authentication report, click ‘Add filters’ and then select ‘Client app’. Apply the changes. Now select the ‘Client app’ filter to choose legacy authentications like Exchange Active sync, Exchange Online PowerShell, IMAP4, POP3, etc. 

After applying a filter, you can view connections/sign-ins that meet your criteria – I.e., Users who use basic authentication connection. 

Note: To generate all basic authentication connections, select everything in the ‘Client app’ except Browser and Mobile Apps & Desktop Clients. 

To get details pane, you can click any of the line. The details pane has contains basic info, location, device info, authentication details, conditional access, etc.

The basic authentication report can be downloaded as a CSV or JSON file. You can use this Exchange Online basic authentication report to find users who use basic authentication to connect Exchange Online and take the necessary steps to adopt modern authentication. 

Basic Auth Deprecation – Update History:

• Feb – 2020 update: Microsoft has updated Azure AD sign-in report to include lists users and client applications that use basic authentication to connect Exchange Online. 

Note: To access the Azure sign-in report, you need to have an Azure AD Premium license. I can hear you scream! Don’t worry. Microsoft is planning to make this report available for all. We can expect the update soon.

• Mar 12 -2020 Update: Azure sign-in report now available to all.
• April 2020 Update: Microsoft postponed disabling basic authentication in Exchange Online to 2021

Due to the COVID-19 crisis, Microsoft postponed disabling basic authentication in Exchange Online to the second half of 2021 for tenants that use basic authentication.

For newly created tenants, basic authentication disabled by default and basic authentication will be disabled if the tenant has no recorded usage from Oct 2020. Since Microsoft wants to improve the security, it will continue to roll-out OAuth support for POP, IMAP, SMTP Auth, and Remote PowerShell.

• Sept 2021: Microsoft retires basic auth in Exchange Online from Oct 2022.

Conclusion:

Changing from Basic Authentication to Modern Authentication will cause some disruption and is more challenging. But together, we need to plan for this change to protect our data. 

Are you ready for the change? Which method are you going to implement in your organization? Please share your experience/difficulties during Modern Authentication adoption in the comment section to assist other admins. 

The post Deprecation of Basic Authentication in Exchange Online  appeared first on Office 365 Reports.

3DES cipher is mostly used for TLS/SSL to encrypt HTTPS and SSH traffic. Since 2016, it has been marked as vulnerable due to SWEET32 attack (Attackers recovered small portions of plaintext when encrypted with 3DES) and planned complete usage deprecation before 2023. To provide security to data, Microsoft made changes in TLS service.

Before moving into how to plan for 3DES removal, let’s see about TLS and how 3DES removal impacts TLS.

What is TLS?

Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication over a network. For ex, Websites uses TLS to secure all communications between their servers and browsers/clients. There are currently four versions of TLS protocol in use today: TLS 1.0,1.1,1.2 and 1.3.

Why Office 365 moving to TLS 1.2?

Microsoft is planning to move all of its online services to TLS 1.2 or a later version to provide best-in-class encryption to its customers.  As of February 28, 2019, Microsoft will begin retiring 3DES. As a result, if your connections are currently using a 3DES cipher suite, they will fail when 3DES cipher suites are disabled. TLS versions 1.0 and 1.1 include cipher suites based on the 3DES algorithm. Office 365 will retire TLS 1.0 and 1.1 starting June 1st, 2020 in Worldwide and GCC Environments. So,  all client-server and browser-server combinations must use TLS 1.2 or 1.2+ to maintain a connection to Office 365 services.

Stay informed with Upcoming Microsoft 365 changes and end-of-support milestones.

How does this affect me?

Office 365 stopped support for TLS 1.0 and 1.1. Hence Microsoft will not fix new issues that are found when connecting Office 365 by using TLS 1.0/1.1. To ensure uninterrupted access to the Office 365  services, you need to update TLS to 1.2 or later version. If you want to get a list of users who uses TLS 1.0/1.1, you can make use of Microsoft’s TLS deprecation report.

Office 365 TLS Deprecation Report:

To ease your work, Microsoft has provided a new report to track users, devices or applications that use TLS 1.0/1.1 or 3DES. You need to be a tenant administrator to generate a TLS deprecation report. The report gives the following information

• Usernames/IP addresses of the users/devices connecting to Exchange using TLS 1.0/1.1 or 3DES
• Protocol/cipher used for the connection – this will either be TLS 1.0/1.1 or 3DES
• The user agent string that is being used for this connection – this gives information about the type of device used for the connection

To download TLS deprecation report directly, you can use this Microsoft’s quick link: https://servicetrust.microsoft.com/AdminPage/TlsDeprecationReport/Download.

Alternatively, to download the TLS deprecation report through Microsoft secure score portal, follow the below steps.

Step1: Login to Microsoft’s secure score: https://securescore.office.com and click on “Score Analyzer”.

Step2: Scroll down to ‘All Actions’ . Search for “Remove TLS 1.0/1.1 and 3DES Dependencies” in Completed actions/Incomplete Actions. If you scored 5/5, You have already moved to TLS 1.2. Else, you need to plan for a migration.

Step3: Click on the ‘Learn more’ button to get details on who is connecting using TLS 1.0/1.1 or 3DES. It will launch a flyout where you can click on ‘Launch now’.

Step4: ‘Launch Now’ will take you to the Secure Trust Portal (http://servicetrust.microsoft.com). Login and then click ‘Download’ to get TLS-Deprecation-Report.csv. Or you can use quick link to download Office 365 TLS deprecation report.

Step5:  If you have users or devices listed under TLS1.0/1.1, start planning for an upgrade.

The TLS deprecation report is refreshed daily. If you have made any changes and updated any clients/devices, you would need to wait for 24hrs to see this change in the reports.

As already mentioned, you can get a TLS usage report using TLS deprecation report. If you need more detailed TLS usage report for SMTP in Exchange Online, you can use a TLS usage report from the Security & Compliance Center.

TLS Usage Report for SMTP in Exchange Online

Email clients uses different protocols to submit email messages. The SMTP Auth (SMTP Authenticated Submission) protocol is primarily used by devices and applications that send automated messages on behalf of customers. To protect against the disclosure of credentials, TLS is mandatory for SMTP Auth. So, when TLS 1.0 is disabled, no messages can be sent from devices or clients that do not support TLS 1.2.

You can use SMTP Auth Clients Reports to know which users are using this protocol, the volume of message sent, and the version of TLS used to connect to Office 365. Using these data, you can determine which clients and servers are still using TLS1.0 and TLS1.1 to connect to the various email protocol endpoints in Exchange Online.

SMTP Auth Clients Reports – TLS 1.0 Deprecation

1.To download SMTP Auth Clients Reports, you can go here: “Security & Compliance > Mail Flow > Dashboard- for SMTP Auth Clients Report.”

Alternatively, you can go directly using link: https://protection.office.com/mailflow/dashboard

2. Click ‘SMTP Auth Clients‘, it will show pivot for TLS version usage.

3. Click ‘report’ link as shown in above screenshot.

The TLS pivot shows the summary of TLS usage for your organization. Click ‘View details table’. It will show TLS usage per user.

SMTP Auth Client reports apply to SMTP related mail flow and submission alone. For other protocols, you need to refer TLS deprecation report.

If you are reading this blog because you are planning to migrate TLS to 1.2, chances are you already read and executed the Microsoft guidance to make your connection guarded. If so, please share your experience/difficulties during TLS 1.2 migration in the comment section to assist other admins.

Update History:

July 2019 Update: “Office 365 will retire TLS 1.0 and 1.1 starting June 1st, 2020 in Worldwide and GCC Environments” which means that all connections to Office 365 using the protocols TLS 1.0 and TLS 1.1 will not work After June 1st. So, you must migrate clients and devices to TLS 1.2 or TLS 1.2+ prior to June 1, 2020.

April 2020 Update: Due to the Corona outbreak, Microsoft has temporarily halted the the TLS 1.0 and 1.1 deprecation

July 2020 Update: Microsoft announced TLS 1.0 and 1.1 retirement date in Office 365 to be October 15, 2020.

Nov 2021 Update: From Jan 03, 2022, Microsoft retiring TLS 1.0 and 1.1 usage for Direct Routing SIP interface.

Note:

• To know detail about which versions of TLS supported on Windows, refer: https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/
• To know detail about which versions of TLS supported on browsers, refer: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

The post Office 365 TLS Deprecation Report – Preparing for TLS 1.2 Migration appeared first on Office 365 Reports.