Basic authentication is being deprecated 

Microsoft announced they were deprecating Basic Authentication for Exchange Online later this year but to avoid further disruption to businesses dealing with COVID-19, they have delayed this deprecation until 2021.

Microsoft still plans to disable Basic Authentication for all newly created O365 tenants this year, as well as those tenants who have no record of Basic Authentication use.  

More about this delay announcement can be viewed via this link

What is basic authentication 

Basic authentication is a simple authentication scheme built into the HTTP protocol where the username and password are passed in the request header. Traditionally, basic authentication has been used to authenticate to Exchange email using the ActiveSync protocol from native email clients on mobile devices e.g the iOS Mail app, Gmail and Samsung Email.  

Microsoft terms applications that use old, insecure authentication methods such as basic authentication “legacy apps,” Google terms these “less secure apps” or “LSAs.” LSAs are apps that access accounts using only a username and password pair and thus expose users to account hijacking attacks. 

As Basic Authentication provides no protection for the credentials being transmitted in the HTTP header, it is not considered a secure method of authentication and for the most part, is being superseded by the use of OAuth, which uses tokens to prove identity instead of sharing password data.  

Modern Authentication 

As a Microsoft customer you may hear the term “modern authentication,” which describes a combination of OAuth as an authorisation method plus multifactor (MFA) / certificate / smartcard as authentication methods along with conditional access policies. I thought it would be a good time to break down what it looks like to enable OAuth for email on managed devices so you will be ready for basic authentication deprecation when it happens. 

How OAuth works for the Microsoft Outlook app 

Outlook for iOS and Android authenticates via Modern Authentication by default, so you do not need to make any changes to enable OAuth authorisation when you deploy the Outlook app via your Unified Endpoint Management (UEM) console. 

The Outlook app offers the ability to “push” account configurations via Managed App Configuration in your UEM, and you can use these settings to ensure Modern Authentication is set as the default authentication type or you may need to enforce basic authentication if you are still using Exchange On-premise.  

You can also push username and email address attributes via these AppConfig settings.  

For modern authentication, employees’ User Principal Names (UPNs) needs to be the same their email address. You may have to do some pre-work to check and validate that everyone meets this requirement.

Microsoft Intune AppConfig Settings for Outlook

 

Microsoft Intune AppConfig Settings for Outlook

 

How OAuth works for the iOS native mail app 

iOS native mail has supported OAuth since iOS 11. 

In VMware Workspace ONE UEM there is an option to leverage OAuth in the native Exchange ActiveSync email profile as shown below.

VMware Workspace ONE UEM Exchange ActiveSync Profile settings 

 

VMware Workspace ONE UEM Exchange ActiveSync Profile settings

Additionally, if you need to, you can add your Identity Provides Sign-in URLs in the profile. 

In MobileIron Cloud there is an option to enable OAuth with the Exchange payload as shown here.

MobileIron Cloud Exchange Configuration Profile Settings 

 

MobileIron Cloud Exchange Configuration Profile Settings

How OAuth works for the Android Enterprise native mail app Gmail 

Gmail has supported OAuth by default since 2019. Gmail supports managed configurations to enable a smooth setup in corporate environments.  

As an administrator, use your unified endpoint management (UEM) console to configure Gmail settings for each user. You can read more about managed configurations available for Gmail via this link.  

Managed configurations for Gmail can be set to allow Modern Authentication (recommended) or to allow Basic Authentication as follows: 

  • allow_modern_authentication: Uses modern authentication, a token-based method of identity management that offers more secure user authentication and authorization. If modern authentication isn’t possible, basic authentication is used. 

  • allow_basic_authentication: Uses basic authentication, an older method of authentication that prompts users for their password and stores this password for future use. 

If not specified, the default setting is allow_modern_authentication

 

What about Exchange on-premise? 

Basic authentication is not being deprecated for Exchange on-premise environments in the same timeframe as Exchange Online. However, it is still possible to enable Modern Authentication for your on-premise environment by leveraging Hybrid modern authentication. 

You can learn more about what you need in place for Hybrid Modern Authentication via this link.  

 

How to disable Basic Authentication in Azure manually 

When you are ready, you can disable Legacy Auth completely for your Azure Tenant – you can learn more about how to do this via this link. Be sure to understand the impact of this policy before disabling it, as it may leave some apps without a mechanism to authenticate. 

 

Need help?  

Mobile Mentor engineers are Microsoft, Apple, and Android certified. We have 15 years’ experience with MDM technologies and remote management. If you are interested in help with setting up modern authentication for your apps contact us

LIZ KNIGHT

Since 2005 I have dedicated my professional capabilities to the advancement of wireless mobile data technologies. During my career I have worked with customers in markets large and small, including financial and government organizations in New Zealand, Europe and the United States.