Basic Authentication to no longer be available for Microsoft customers from the end of September

Microsoft is disabling Basic Authentication and moving standards towards Zero Trust. 

Microsoft has announced that Basic Authentication – a holdover from older verification standards on the internet – will be switched off on the 1st of October 2022. Companies and systems still relying on it will find themselves scrambling to switch to newer standards adhering to the Zero Trust concept. At TECH-ARROW, we already use Zero Trust, and are ready to bring our clients through this transition to a safer and more secure internet. With contentACCESS, you can use two-factor authentication and OAuth2 protocols to better protect your company information and your archived data.

Administrators who currently use Basic Authentication in Exchange Online should expect that the final deactivation can be done at any time starting from October 1, 2022, and that there will be no exceptions for tenants made.

Zero Trust – What is it, how does it work, and why is it important for your business?

Zero Trust, as a security model, is a framework based around the concept of “never trust, always verify” – demanding more rigorous standards for checking certificates and identity, no matter if devices are on a theoretically trusted network or not. The framework, as established by the National Cyber Security Centre, includes the following principles:

The network is hostile

Earlier security frameworks treated networks as a safe environment; devices connected within the closed network were viewed with inherent trust. Under Zero Trust, the assumption is reversed. Just because a device is present on your network does not mean it is trusted, and just because a device is trusted does not mean it should receive access to all of the network’s data. When on a closed network, connection attempts from a non-recognized device are automatically denied.

The user must be authenticated

Under Basic Authentication, users would authenticate with a single step – usually a password – to verify their identity and thus their credentials to access information. This approach is no longer considered sufficient, and requires more robust verification of user identity under Zero Trust including but not limited to extensive use of Multifactor Authentication (MFA).

Additional context, such as policy compliance and device health, must be taken into account

Scrutiny of attempted logins and access attempts has to be determined by their context and given variable degrees of attention: How much confidence you need in order to trust a connection depends on the value of data being accessed or the impact of the action being requested.

Zero Trust diagram

Image sourced from Microsoft Devblogs

Microsoft has their own framework, which includes several additional provisions to the NCSC one – the most important one being focused on minimizing “blast radius.” On the assumption that a breach will inevitably be made, Microsoft recommends implementing so-called just-in-time and just-enough-access (JIT/JEA). In this way, any time an outer layer of security is compromised, a relatively smaller volume of business information is exposed.

The Zero Trust model therefore aims to provide an increase to security beyond the level used in previous models, which depended on simple passwords (which, if compromised, gave malicious actors access to all the protected data) and certificate chains.

Protect your archived business data with contentACCESS Archive

TECH-ARROW’s contentACCESS already employs a Zero Trust framework, thanks to our implementation of the Open Authentication 2.0 authorization protocols. This more robust process helps ensure client information held in their archives is protected from being compromised, while still remaining readily accessible when needed.

The way OAuth 2.0 works is following this general flow:

  1. The client requests authorization from an Authorization server
  2. The Authorization server verifies the client and user, and verifies that their request is within the scope of their permissions
  3. The Authorization server connects to the Resource owner in order to grant access
  4. The Authorization server redirects back to the client and issues an access token
  5. The client connects to the Resource owner, which verifies the access token, and allows access to the desired resource

OAuth2.0 diagram

Image sourced from Business2Community

The key part of this process is that all the logins are verifiable. All component links of the chain broadcast who they are, on whose behalf they are acting, and what concrete permissions they have been given. Token exchanges can also have policies set regarding expiry periods, further allowing companies and organizations to fine-tune their security.

As Microsoft continues to push for stronger standards, chances are their requirements are only going to become more and more stringent. Companies whose products are out of date and coasting along on older standards will find themselves being cut off and scrambling to catch up as those older standards are taken offline, while their clients might potentially find themselves not covered.

TECH-ARROW prides ourselves on ensuring our clients are provided the best protection and experience possible. Our Zero-Trust adherent contentACCESS archive and backup has a proven track record of keeping archived data safe, secure, and ready for continued access and work. Why risk being left behind? If you are ready to take the next steps in future-proofing your company, contact us and we can set up a virtual meeting to discuss your way forward.


Take the best steps to protect your data – with TECH-ARROW.

Microsoft 365 archive

by Matúš Koronthály