Adieu l’authentification basique ! et les vieilles applis ?
En bref, plus d’authentification de base pour les protocoles suivants pour accéder à Exchange Online.
- EWS (Exchange Web Services)
- EAS (Exchange ActiveSync)
- IMAP4
- POP3
- RPS (Remote PowerShell)
- Et je dois en oublier…
Microsoft a prévu de mettre fin à l’authentification de base dans Exchange Online à partir du 13 octobre 2020.
Authentification de base dans Exchange Online
La plupart des applications clientes utilisent l’authentification de base pour se connecter aux serveurs, services et points de terminaison car sa configuration est simple. L’authentification de base dans Exchange Online envoie un nom d’utilisateur et un mot de passe à chaque demande d’accès client.
Le problème avec l’authentification de base est qu’elle compromet facilement par des attaques par force brute ou par pulvérisation par mot de passe. Pour protéger notre environnement contre une menace pour la sécurité, nous devons passer à une meilleure option.
Plus d’authentification de base dans Exchange Online – Comment cela m’affecte-t-il?
À partir du 13 octobre 2020, les applications clientes utilisant l’un des protocoles hérités mentionnés ci-dessus ne pourront plus se connecter à Exchange Online à l’aide de l’authentification de base.
Alternative à l’authentification de base – Passez à l’authentification moderne
La meilleure solution est de passer à une approche d’authentification moderne. L’authentification moderne est basée sur la bibliothèque d’authentification Active Directory (ADAL) et les jetons OAuth 2.0.
L’authentification moderne (qui est l’authentification basée sur les jetons OAuth 2.0) présente de nombreux avantages qui aident à surmonter les problèmes présents dans l’authentification de base. Les jetons OAuth ont une durée de vie utile limitée et sont spécifiques aux applications pour lesquelles ils sont émis. Donc, ils ne peuvent pas être réutilisés. L’authentification moderne Exchange Online garantit un moyen plus sûr et plus fiable que l’authentification de base.
For many years, client apps have used Basic Authentication to connect to servers, services and endpoints. It is enabled by default on most servers and services and it’s super simple to set up. Basic Authentication simply means the application sends a username and password with every request (often stored or saved on the device).
Simplicity isn’t at all bad in itself, but Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials (particularly if not TLS protected), which in turn increases the risk of credential re-use against other endpoints or services. Multi-factor authentication (MFA) isn’t easy to enable when you are using Basic Authentication and so all too often it isn’t used.
Simply put, there are better and more effective alternatives to authenticate users available today, and we are actively recommending to customers to adopt security strategies such as Zero Trust (i.e. Trust but Verify) or apply real time assessment policies when users and devices are accessing corporate information. This allows for intelligent decisions to be made about who is trying to access what from where on which device rather than simply trusting an authentication credential which could be a Bad Actor impersonating a user.
With these threats and risks in mind, we’re taking steps to improve data security in Exchange Online.
What We’re Changing
Last year we announced we are turning off Basic Authentication for Exchange Web Services on October 13, 2020. Today, we are announcing we are also turning off Basic Authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell at the same time – October 13, 2020.
We want your help in getting users to move away from apps that use Basic Authentication, to apps that use Modern Authentication. Modern Authentication (which is OAuth 2.0 token based auth) has many benefits and improvements that help mitigate the issues present in Basic Authentication. For example, OAuth access tokens have a limited usable lifetime and are specific to the applications and resources they are issued for so they can’t be re-used. Enabling and enforcing MFA is also very simple with Modern Auth.
Please note this change does not affect SMTP AUTH – we will continue supporting Basic Authentication for the time being. There is a huge number of devices and appliances that use SMTP for sending mail, and so we’re not including SMTP in this change – though we are working on ways to further secure SMTP AUTH and we’ll share more on that in due course. Nor does this change affect Outlook for Windows or Mac assuming they are already configured and using Modern Auth (and they really should be).
How This Impacts You
This change might affect some of your users or apps, so we wanted to provide additional information to help you in identifying and deciding upon an action plan.
Remote PowerShell
Firstly, how does this impact your own tenant administration? You probably use Remote PowerShell (RPS) to access Exchange Online, hopefully with the MFA module. If so, you might also consider switching some of your day to day usage to using PowerShell within Azure Cloud Shell. We are also making significant investments in RPS to make the MFA module work better and we’ll be sharing some more information on that in due course.
Finding impacted users
The next action you really need to be thinking about is assessing client impact. The first question you probably have is – so how do I know who’s using Basic Authentication in my tenant? Great question, and soon we’ll make a report available to help you easily answer that question for yourself. It’s a report that provides tenant admins with a simple way to determine who is using Basic Auth so you, the admin, can see how large of a task you have on your hands.
Once you understand what your users use, and know if they are using Basic or Modern Authentication, what can you do about it? Each of the impacted protocols have options.
POP and IMAP
So let’s talk about POP and IMAP. We know there’s still some usage out there, not much, but some. We’re planning on adding OAuth support to both POP and IMAP in the next few months. If you want to keep using these protocols, you’ll need to update the app to one that supports Modern Auth. Or better yet – get the user to use a more modern client (did you know we’ve added shared mailbox support to the Outlook app for iOS and Android? That’s one reason some people have been using POP and IMAP), or get the application developer to start using OAuth.
Exchange ActiveSync
The client app you might have the most usage with probably uses Exchange ActiveSync. There are many users out there with mobile devices set up with EAS. If they are using Basic Auth (and many of them are), now’s the time to do something about that. What are your choices?
Without doubt, we believe the best mobile device client to use when connecting to Exchange Online is Outlook mobile. Trusted by over 100M users across the world, Outlook mobile fully integrates Microsoft Enterprise Mobility + Security (EMS) enabling conditional access and app protection (MAM) capabilities. Outlook mobile helps you secure your users and your corporate data, and it natively supports Modern Authentication.
There are of course other email apps for mobile devices that support Modern Authentication too, so that’s another option.
For users that don’t want an app, or for users that have a device for which there is no app, they could switch to the browser on their mobile device. Outlook on the Web is used by millions of users every month, it’s feature-rich and we have a version ideal for mobile browsers. You can access it on a mobile device by navigating to https://outlook.office365.com. We’ll know it’s a mobile device you are using so we have a special experience just waiting for you. Go try it.
Summary
We know the change from Basic Auth to Modern Auth will potentially cause some disruption. For some users, any time they have to do something different, it’s challenging for them, but we want to do this together to improve security and protect your data and your users data. Disabling Basic Authentication and requiring Modern Authentication with MFA is one of the best things you can do to improve the security of data in your tenant, and that has to be a good thing.
The last thing to make clear – this change only affects Exchange Online, we are not changing anything in the Exchange Server on-premises products. We think turning off Basic Auth on-premises is a great idea too, by the way, and here’s something we published recently on that subject.
We know this is big news and we’re here to help. Please do leave us comments or questions and we’ll do our best to help.
M365 Journey 