What was Basic Authentication for nonprofits and why is it being retired?

Sophisticated cyber criminals are taking aim at hybrid and remote workers, and nonprofit workers are not exempt from this targeting. Microsoft has been raising awareness among customers to move away from outdated, less secure email protocols, and has encouraged the use of its new and improved Modern Authentication method to access Microsoft 365 data for some years now.

Microsoft officially retires Basic Authentication in Exchange Online (the email services part of the Microsoft 365 suite of products) on October 1, 2022. This likely won’t impact you since Modern Authentication has been replacing Basic Authentication since 2019. If you are a typical Microsoft 365 customer, you use a modern version of Outlook (Outlook 2016, Outlook 2019 or Outlook 365) on your computer or access Microsoft 365 services through a web browser and you access your Microsoft 365 email and calendar using the Microsoft Outlook Mobile App.  

However, nonprofits that use Microsoft 365 do need to be aware of this change. Basic authentication is most often used by the native email app in Android, or on older iPhones and iPads. Our recommendation is for organizations to standardize using the Microsoft Outlook Mobile App which uses Modern Authentication.

How does this impact nonprofits? How does it impact you?

Moving to the new Modern Authentication will allow your organization to more easily implement Multi Factor Authentication (MFA). If your organization hasn’t taken that very important cybersecurity step, this change is a great time to make MFA for Microsoft 365 services a requirement for all logins.

Basic Authentication impacts legacy protocols such as POP3, IMAP, MAPI and ActiveSync. These older protocols are ways people used to get email in and out of email servers. Microsoft made Microsoft 365 backward compatible with these legacy email protocols. But the usefulness of allowing these older protocols is now outweighed by the increasing security risks that they create. When Microsoft retires Basic Authentication on October 1st, they are drawing the line and no longer supporting that backwards compatibility.

Microsoft reports that. “…The numbers on legacy authentication (Basic Authentication) from an analysis of Azure Active Directory (Azure AD) traffic are stark:

* More than 99 percent of password spray attacks use Basic Authentication protocols 

* More than 97 percent of credential stuffing attacks use Basic Authentication
 
* Azure AD accounts in organizations that have disabled Basic
Authentication experience 67 percent fewer compromises than those where Basic Authentication is enabled 

https://www.microsoft.com/en-us/microsoft-365/blog/2022/09/01/microsoft-retires-basic-authentication-in-exchange-online/

If you connect to your email services using the native mail app on your Android/iOS device you could have problems on an older device running an older version of Android/iOS. Any Android or iOS device less than two years old, assuming it’s been regularly patched, should be fine as both Android and iOS updated to support Modern Authentication beginning in 2019. If in doubt, installing and using the Outlook mobile app for iOS or Outlook mobile app for Android is recommended. 

Users of other email clients may experience challenges. As always, when using Microsoft 365 email services, using Outlook or Outlook on the Web (browser version) is the best practice. For more information: https://outlook.office.com.  

Calendars, Email, and Modern Authentication

Calendaring is part of Microsoft 365 email services, so the end of Basic Authentication could have an impact on users with older devices. Updated Outlook and up-to-date Android/iOS native calendaring will not be impacted, but there may be cases in which users are relying on Basic Authentication to share their calendars with other services. Data in calendars will not be compromised, but for services in which Basic Authentication is relied upon, access to calendar information will be lost – unless the upgrade to more up-to-date apps or the Outlook web browser is made before October 1, 2022. 

Admin users that rely on the Exchange Management Shell for administration will need to upgrade to the new Exchange Online PowerShell v2 module which supports Modern Authentication.

Organizations that have integrations into other email services to send or access email through connectors into their Office 365 environment should review their vendor’s guidance. 

Recommendations for nonprofits who may use Basic Authentication

Because the risk that users at most organizations will be impacted is very small, we recommend waiting until Microsoft retires Basic Authentication October 1 and using your regular help desk process to remedy any interruptions at that time. You can prepare yourself and your users by letting them know they will always be able to access their Microsoft 365 email and calendars in Outlook Web Access at https://outlook.office.com

Compromised email accounts are one of the biggest cybersecurity risks that an organization can face. As Microsoft retires Basic Authentication they are closing a significant area of vulnerability in the Office 365 platform. It’s a good opportunity for organizations to review your list of user accounts, verify the protocols in place and implement multi-factor authentication (MFA).

Ready to get strategic about your IT?

Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to strategize your IT investments and technology roadmap, if you don’t have an in-house IT Director.

If you’re ready to gain peace of mind about your IT support, let’s talk.