Office 365 - Exchange Online Basic Authentication Overview
Most logins to Microsoft Office 365 Exchange require direct authentication to NetID Login. However, some clients/protocols use basic authentication. With basic authentication (also called proxy authentication), the email client transmits the username and password to Office 365, and Office 365 forwards the provided credentials to NetID Login. This article answers general questions about Basic Authentication.
Table of Contents
- How does basic authentication work in Office 365?
- What is modern authentication?
- Which clients are capable of modern authentication in Office 365?
- How is basic authentication less secure than modern authentication?
- How long will Microsoft support basic authentication in Office 365?
- When is Modern Authentication enabled for all Office 365 firstname.lastname@example.org accounts?
- When is Modern Authentication enabled for all Office 365 service accounts?
- How can I disable basic authentication to my account?
- How can I reconfigure Exchange to use modern authentication on my devices?
- How do I configure a client with a legacy protocol for modern authentication?
- I'd like to learn more about Office 365 authentication.
With basic authentication, your email/calendar client will transmit your username and password to Office 365 (Exchange Online). Office 365 will forward your credentials to the NetID Login Service. The NetID Login Service will verify the credentials and return a token to Office 365. If authentication was successful and the user is authorized, the email/calendar client will be connected to Office 365.
If your email/calendar client uses modern authentication, your credentials are not sent to Office 365 (Exchange Online). Instead, you'll be redirected to the familiar NetID Login screen. If your account is protected by Duo MFA, you will be required to confirm your login. Your client may maintain a connection to Office 365 with an OAuth token, so you may not be required to use NetID Login each time you use the client.
The following is a non-exhaustive list of clients which are capable of authenticating to Office 365 Exchange Online with modern authentication:
- Outlook on the web
- Outlook for Windows (2016 or newer)
- Outlook for Mac (2016 or newer)
- Outlook App for Android
- Outlook App for iOS version 10.x and greater
- Mail app on iOS 11.x+
- Mail app on Mac OS 10.14 (Mojave) and later
- Mail app on Android devices (dependent on manufacturer)
- Thunderbird app version 77.0b1 or later
Basic authentication in Office 365 is less secure for multiple reasons:
- If your credentials (NetID username and password) are compromised, they can be used to access your mailbox or to send email from your account. Since basic authentication is not protected by multi-factor authentication, even those enrolled in Duo MFA are at risk.
- Office 365 basic authentication can be used to verify usernames and passwords via credential stuffing, brute force and password spray attacks. If verified, then the credentials can be used to access other systems/services.
Microsoft has already discontinued support for basic authentication with Outlook REST API. Microsoft has announced an end of support for basic authentication with EWS, EAS, POP, IMAP, Remote PowerShell (RPS) on 10/13/2020. Support for basic authentication with Office 365 SMTP is expected to continue beyond 2020.
New Microsoft update: September 2021: We're making some changes to improve the security of your tenant. We announced in 2019 we would be retiring Basic Authentication for legacy protocols, and in early 2021 we announced we would begin to retire Basic Authentication for protocols not being used in tenants, but not disable Basic Authentication for any in-use protocols until further notice. Today, we are announcing that we are restarting the program to end the use of Basic Auth in Exchange Online. Beginning October 1, 2022, we will begin to disable Basic Auth in all tenants, regardless of usage.
The full announcement can be found at https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210
To manage this feature, please review the Office 365 - Manage Password Security article.
Office 365 team will enable Password Security on Oct. 4, 2021.
Important: This will only affect users who have configured their email@example.com account within an email client which currently is not configured to use Modern Authentication. After Oct 4, 2021, to access your email, you will need to use an email application which supports Modern Authentication. See the reconfigure section below for client options available to you after Oct 4, 2021.
When is Modern Authentication enabled for all Office 365 service accounts (firstname.lastname@example.org)?
Beginning in November 2021, DoIT will begin the final phase of upgrading university email accounts to modern authentication. This final group is limited to service accounts, some of which are tied to crucial university business processes. During this phase of the project, we ask that departments proactively identify service accounts that currently use basic authentication so that we can share the time and bandwidth to assist you and reduce interruptions in service.
Important: This will only affect users who have configured their service account (email@example.com) within an email client which currently is not configured to use Modern Authentication. See the reconfigure section below for guidance on how to reconfigure your client to use Modern Authentication.
If you are using Basic authentication to connect to your email account, you may be suspect to any of the following: unauthorized access, use of your NetID credentials for credential stuffing, brute force, and password spray cyberattacks.
To protect your account and NetID credential, it is highly recommended that you make sure Password Security is enabled on your account - to manage this feature, please review the Office 365 - Manage Password Security article.
To begin using modern authentication through exchange, open a desktop or mobile email client, remove your UW Madison email address, and then re-add your UW Madison email address. When authenticating the account, you should receive a pop up or be redirected to UW Madison's secure login portal, which is the only time you should enter your password.
Information regarding how to configure specific mail clients can be found in:
- Office 365 (Outlook for Windows) - Configure Outlook
- Office 365 (Outlook for Mac) - Configure Outlook
- Office 365 (Outlook for Android/iOS) - Configuring the Outlook app for Android/iOS
- Office 365 (Apple Mail / Calendar) - Configure Apple Mail / Calendar
- Office 365 (iOS) - Configure the native email/calendar app for iPhone, iPad, iPod
- Office 365 (Android) - Configure the native email/calendar app for Android
- Office 365 (Thunderbird) - Configure Modern Authentication
Microsoft supports authentication to O365 with "legacy" protocols: IMAP, POP, and SMTP. Any client that supports OAuth 2.0 should be able to authenticate to Office 365. Support for OAuth 2.0 with O365 is dependent upon the client developer. The UW-Madison Office 365 team has no control over client support. Configuration instructions will be unique for each client, but you can refer to the Thunderbird IMAP/SMTP modern authentication configuration instructions found here: Office 365 (Thunderbird) - Configure Modern Authentication
If you'd like to learn more about basic and modern authentication in Office 365, please review the following documents:
- Hybrid Modern Authentication overview
- End of support for Basic Authentication
- Disable Basic authentication in Exchange Online