The US Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies and private organizations to switch to Modern Auth in Exchange Online before October 1, 2022.
A legacy authentication method, Basic Auth does not support multi-factor authentication and requires that the user’s password is sent with each authentication request. It is used in protocols such as ActiveSync, Exchange Web Services (EWS), Post Office Protocol/Internet Message Access Protocol (POP/IMAP), and Remote Procedure Call over HTTP (RPC over HTTP).
Per Executive Order 14028, “Improving the Nation’s Cybersecurity,” federal civilian executive branch (FCEB) agencies are required to adopt MFA within their environments, and switching to Modern Auth is a first step in this direction.
Last year, Microsoft announced plans to disable Basic Auth in Exchange Online starting October 1, 2022, which calls for an expedited migration to Modern Auth, CISA says. Organizations with on-premises Exchange servers should migrate to hybrid Modern Auth.
“We’re turning off Basic Auth for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell,” Microsoft announced last month.
The tech giant has long promoted the adoption of modern authentication, explaining in a 2020 blog post that nearly all password spray and credential stuffing attacks rely on legacy authentication and that successful compromise had dropped by 67% within organizations that disabled legacy authentication.
“Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth. After completing the migration to Modern Auth, agencies should block Basic Auth,” CISA notes.
Legacy or custom-built business applications are likely still relying on Basic Auth, but user-facing applications such as Outlook for desktop and mobile have already switched to Modern Auth.
To identify applications and users still relying on legacy authentication, organizations should review Azure Active Directory (AAD) sign-in logs. Next, they should plan for a phased migration to Modern Auth, for both apps and users.
Once the migration has been completed, organizations are advised to block legacy authentication. This can be done by creating a new policy in Exchange Online or by creating a conditional access policy in AAD, thus blocking Basic Auth before or after authentication occurs, respectively.
Related: NIST Releases New macOS Security Guidance for Organizations
Related: US, UK, New Zealand Issue PowerShell Security Guidance
Related: CISA Releases Final IPv6 Security Guidance for Federal Agencies
