In less than one month, Microsoft will turn off basic authentication, like usernames and passwords over unencrypted channels, for Exchange Online service. As of October 1, 2022, users will be required to employ token-based authentication (to access their accounts.). Other cloud providers are making similar changes: Google has already moved 150 million users to two-factor authentication, and Rackspace will stop allowing cleartext email protocols by the end of the calendar year.
Note
- Microsoft has provided diagnostic tools to help analyze specific issues with disabling basic authentication. You can have a specific service re-enabled by opening a support ticket, but that only buys you until January 2023 where the change becomes permanent. Even if Microsoft moves that date, don’t let off the gas on preparing to use MFA for your EXO access; you want to be prepared and tested before the ability to revert changes is removed. Enabling MFA for EXO includes configuring a window of how frequently you wish to re-verify users (e.g., every 30 or 60 days) which reduces the impact of this change. If you’re using MS365 with a separate IDP, make sure that you understand the change to that IDP behavior.
- Better late than never. I am of the opinion that all software vendors should ship products with secure configurations by default and allow the customer to make changes if they must/really need to.
- These are very welcome moves by all the providers covered in this article. However, security should be the default setting for many of the cloud services and one that is included in all subscription levels, not just at premium subscriptions.
