The Enabling Technologies Blog


Mark Brezicky / / Categories: Technical View, Exchange Online

End of Life of Legacy Auth on ExchOnline - Easier said than done!

"Note: as of April 2020, MSFT has extended the deadline to decommission basic authentication until mid-year 2021. See https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508 for their news. This gives more time to properly plan, as it's not a short project for larger organizations.

We're about 7 months away from Microsoft's planned decommissioning of Basic Authentication for Exchange Web Services, ActiveSync (EAS), and Remote PowerShell on October 13, 2020. These protocols are very susceptible to password spray and other identity attacks leading to compromised credentials. It’s a good change but will be inconvenient for the unprepared.  

That means you must migrate all services accessing Exchange to use Modern Authentication (like Outlook Mobile or iOS Native email) before October 2020. The original announcement included news about deprecating support for IMAP and POP, but since thenMicrosoft has committed to updating IMAP and POP to support modern authentication. That covers only half the equation (their side) and still requires the apps/services that connect to change as well.   

Start now! Many orgs will need time to find all logins from third party apps that use these protocols and find a workaroundSuch services will break if you turn off legacy auth in a flash.  

NOTE: Until then, mailboxes have POP3 and IMAP enabled on new mailboxes by default. To start reducing your attack surface, you can disable then on the mailbox with the cmd: 

Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false 

The graph Microsoft presented at RSA reiterates the need for this change. 

mark 1

At RSAMicrosoft's own IT staff gave a presentation about their own internal challenges with deactivating legacy protocols. Their initial plan was to communicate this change and then deactivate all legacy authentication in a flash. This ended up catching fire as unknown connected business applications ceased to work after the change. They ended up having to reactivate the protocols to allow business to proceedAnother case of easier said than done!  

Their adjusted timeline is shown below and the steps involved are to:  

  1. Evaluate your Azure Active Directory sign-in logs (see example below) to see what protocols are in use and by what remote services. Third party business apps use Exchange’s connectors to automate emails and workflows. They may exist without you knowing it!
  2. Once these protocols have been discovered, the difficult work of finding the line of business owner and communicating about this change begins.  
  3. Develop a process to handle exceptions (there will be some complaints/valid business uses). 
  4. Ask the business owner if the connection is still needed. If it is, you and they should work with the third-party provider to ensure that they are making changes to the app to support modern auth. Simply because Microsoft supports modern auth doesn't mean the application will change accordingly. This will likely require some coding changes to the remote software that is connected. October is coming... 
  5. Test with a small group (of low-impact accounts) to understand the business unit’s response, and if needed, your exception process. Then move to the more difficult apps/business owners. 
  6. Once apps are updated or removed, deactivate legacy auth for that mailbox using the cmdlet above, or for all legacy apps using a Conditional Access Policy in Azure AD. Do this before October so that any that were missed are discovered before MSFT handles the rest in Oct.  

    Mark 2This is MSFT’s updated timeline. You can see why starting early will be critical. 

    mark3

    If you’d like guidance with this process and the gotchas that may result, contact securecloud@enablingtechcorp.com  

     

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Search by Category or Author:

ref:_00D80KtFf._5000y1WwWQD:ref