Microsoft deprecated (disabled) the Basic Authentication for Microsoft Dynamic 365 for some specific protocols. The planning for this deprecation began in September 2021, and it has been continuing since alerting and warning to move away from this type of authentication system.
The rationale behind this move is the increasing sophistication of cyber attackers in data theft and hacking. This is more pertinent for remote and hybrid workers who dabble between offline and online systems on a daily basis.
Moreover, Basic Authentication is one of the oldest methods, filled with security flaws. The implementation of the new system got postponed due to the pandemic; the same situation also motivated Microsoft to take quick action.
Starting in October 2022, Microsoft disabled basic authentication, and it will affect a few systems. For those who have not made the switch, let’s see their options after the deprecation.
Which Protocols and Services are Affected?
The following protocols and services will work with a disabled basic authentication;
MAPI
RPC
Offline Address Book (OAB)
Exchange Web Services (EWS)
POP
IMAP
Exchange ActiveSync (EAS)
Remote PowerShell
Users working with any of these protocols and services need to make the shift to modern authentication. Microsoft has been working with its partners to disable basic authentication and help them move to modern authentication. The modern authentication is OAuth 2.0 token-based authentication, which provides stronger protection against attacks and threats.
Introducing Modern Authentication
Modern authentication represents a cluster of different protocols working together to enhance the security of a system or resource. It can be an IMAP protocol enabling emails on Outlook or a cloud-based resource; the modern authentication system is applicable to a wide range of solutions. Examples of modern authentication are;
OAuth
SAML
WS-Federation
The working mechanism of each of these systems is different, but their purpose is the same. That is to shift from a simple ID and password authentication system to a token-based claims system.
Basically, these systems generate a token to identify the identity of the user. Moreover, the tokens generated have more information about the access permissions of the users, and they can also be revoked.
Consider it like this, once you enter your house, you have access to the rooms, washrooms, balconies, and everything in your house. But when you stay at a hotel, which gives you keycard access, you can only access the areas that your keycard can open. This includes your room, lounge, VIP room, and other common areas.
But you cannot enter other guests’ rooms. Moreover, the hotel management can also disable your keycard restricting your access to any of the areas.
The token system is akin to the keycard system. You can add bespoke access control systems to the entity and govern their activities.
Modern authentication improves three aspects;
Authentication: Users can log in to their accounts and applications to access the system within the account or portal.
Authorization: This gives managers control over who can access which aspects of the solution. It gives the capability to give specific permissions and access to the users.
Conditional Access: This type of access authorizes the users to enter only when they meet certain requirements.
Difference Between Basic and Modern Authentication
One of the major differences between modern and basic authentication is how the credentials travel from one endpoint to another. In basic authentication, the credentials travel over the internet, that too, in plain text mode. Due to this, Basic Authentication is a less secure mode of password exchange.
These passwords are stored in a Web header field with base64 encoding. Even though the service providers use SSL encryption to secure the password, they are still susceptible to theft and unauthorized access.
Modern authentication is a more secure and comprehensive approach to identity management. The two protocols used here are ADAL (Active Directory Authentication Library) and OAuth. The critical point is that a service or system can store the credentials, but they can only authenticate them using tokens.
These security tokens generated at the time of a user requesting access will be available for a limited time. No user can resume the same token once generated after the expiration. Moreover, the system administrators can also define the scope of each permission, like keycard access. This way they can easily govern which user has access to which part of the system.
The Procedure to Switch to Modern Authentication
Depending on the protocol, the procedure to migrate to modern authentication differs.
POP, IMAP, and SMTP Auth
We need to use OAuth authentication to build a connection between POP, IMAP, and SMTP. Doing so will allow Microsoft Dynamics 365 users to access their email data. Azure Active Directory provides OAuth Authentication services. The process has three steps;
1. Register the application with Azure AD
The registration process is simple enough to understand as you move ahead. However, there are a few prerequisites, including;
The users need to have an Azure account with an active subscription.
The Azure account must have permission to manage applications in Azure AD. The roles that can have these permissions are Application Administrator, Application Developer, and Cloud Application Administrator.
The Azure account must also be configured to complete the Tenant account. For registration, as you open the Azure account, make sure to select the right tenant on which you need to register. After selecting the tenant, select Azure Active Directory, locate App Registrations in the Manage Menu, and click on New Registration.
2. Share Application Details
In the New Registration page, you need to enter the required information about the application. This includes its name and who can use the application. You can choose from four types of users;
Accounts in this Organizational Directory
Accounts in any Organizational Directory
Accounts in any Organizational Directory, and personal Microsoft accounts
Personal Microsoft accounts
In the next step, leave the Redirect URL empty and then move on to selecting Register, which completes the .