Back to blog
Image shows a confused woman contemplating what happens after basic authentication is retired. She's wearing a Microsoft badge to show she's a partner, and her thought bubble features icons of passwords, padlocks, and threatening figures.

What Does Retiring Basic Authentication Mean for Microsoft Partners?

3 minute read

A reckoning is coming. Microsoft’s deadline for basic authentication retirement is fast approaching – but what does that actually mean for customers and partners? And what happens next?

Cast your minds back to 2019: Game of Thrones came to an end, many of us had never attended a ‘Zoom Quiz’ before, and we looked to 2020 with hopeful optimism.  It was also the year – late in September – that Microsoft announced the retirement of basic authentication in Exchange Online.

And who can blame them? Basic authentication – that is, using just an email and password (which often ends up stored on the device) to grant access – is a piece of cake for cyber-attackers to bypass with modern methods and tools. For tools and their valuable data, basic authentication can be a gaping hole in their defences, ready to be exploited.

Fast forward to the present, and Microsoft’s deadline for retiring basic authentication is almost upon us; from the 1st October 2022, Microsoft will start to randomly select tenants on which they’ll disable basic authentication access for:

  • MAPI
  • RPC
  • Office Address Book (OAB)
  • Exchange Web Services (EWS)
  • POP
  • IMAP
  • Exchange Active Sync (EAS)
  • And Remote PowerShell

For those who need extra time or who are unaware of the coming changes, there’s an opportunity to re-enable basic authentication once per protocol until the end of December 2022 – after that, though, the functionality will be removed. For a full run-down of how the deprecation will unfold, visit Microsoft’s documentation.


What Does This Mean for Microsoft Partners and Their Customers? 

In truth, quite a few things – chief among them is a shift to more security investment and tighter, more effective governance of security practices. As harsh as it may seem (regardless of the three-year lead time), this could be the shock some customers need to make important changes to their organisation-wide security.

Retiring basic authentication also highlights certain requirements from both parties…

Partners Need to Have the Security Talk

Yep, it’s time. Security is a conversation that is simply too important – and potentially expensive – to avoid having. Still, many customers are hesitant to tread there, fearing sky-high costs or believing that their current measures are enough – sometimes because they don’t know how exposed they actually are.

For partners, the end of basic authentication can be leveraged to kick off the conversation, highlighting the alternative methods and measures available to customers. There’s also Microsoft’s Secure Score to lean on, showcasing tangible benchmarks and recommendations for context.

Understandably, the unfolding financial crisis will likely deter many customers from spending money, with a freeze on investing in security. Unlocking resources and freeing up funds to reinvest, then, will be a key play for partners to encourage the instigation of new security measures

Customers Need to Get Everybody Using MFA

Microsoft’s announced changes mean it’s out with the old and in with the new; goodbye basic authentication, hello multi-factor authentication (MFA).

Of course, this comes with challenges of its own – namely, encouraging users to adopt MFA with methods such as the Microsoft Authenticator app. To maximise success, customers need to know ahead of time what their MFA uptake is like across the organisation. That way, they can ride out the transition with ease, and lay the foundation for a more secure future.

Providing an idea of where the organisation isn’t making the most of MFA will allow partners to support greater security uptake in their customers, while also giving them the intelligence to recommend decisive actions.

Everybody Needs to Address Security Risks and Governance

If there’s one major lesson to come out of Microsoft’s announcement, it’s this: understanding the current state of an organisation’s security keeps customers in control, which in turn enables them to implement the measures that minimise risk.

Creating visibility and transparency to build accountability, understanding, and action will be crucial for partners. From this vantage point, it’s far easier to remediate customer security concerns and help them to build the insights they need to keep everybody secure and on the same page moving forward.

If all of these insights sound like an impossible dream, don’t fret: Surveil can surface deep insights from M365 and Azure environments, offering partners and customers the opportunity to improve Secure Scores, liberate resources for reinvestment, and identify the gaps in identity management putting them at risk.

With or without Surveil’s insights, it’s important for partners to support and educate their customers on Microsoft’s basic authentication retirement. From here, they can guide customers in implementing a bright, secure future without a poor password in sight.

Does transparency and easy access to deep Microsoft insights sound good to you? Let’s talk.

Related articles