CISA Urges Switch to Microsoft Exchange Online Modern Authentication: What You Need to Know

On June 28, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) released an advisory stressing that government agencies and private sector organizations using Microsoft Exchange’s cloud email platform should expedite switching from Basic Authentication legacy methods without multifactor authentication (MFA) support to Modern Authentication alternatives.

What’s the difference between Basic and Modern Authentication?

Basic Authentication (proxy authentication) uses an HTTP-based authentication scheme, which sends credentials in plain text to servers, endpoints or online services. Modern Authentication (Active Directory Authentication Library and OAuth 2.0 token-based authentication) uses OAuth access tokens with a limited lifetime and cannot be reused to authenticate on any other resources besides the ones for which they were specifically issued.

Applications that use Basic Authentication can allow an attacker to capture credentials in man-in-the-middle attacks over transport layer security (TLS). Additionally, MFA is much more complicated to configure within Basic Authentication, which may lead to misconfigurations or a lack of any configurations.

Isn’t Microsoft disabling Basic Auth soon?

Microsoft had announced in September 2021 that they would be disabling Basic Authentication in Exchange Online for all tenants starting Oct. 1, 2022. However, CISA urges you to act sooner.

What is Nuspire doing?

Nuspire is currently utilizing Modern Authentication as recommended by Microsoft and CISA.

What should I do?

Nuspire recommends organizations using Basic Authentication should plan to migrate to Modern Authentication as soon as feasible. Administrators can use CISA’s advisory for resources and technical guidance on how to make the switch to Modern Authentication and block Basic Authentication.