Microsoft started disabling basic authentication support for Exchange Online customers in October. The company announced yesterday that it will be discontinuing Basic Authentication for the Autodiscover service on December 31, 2022.
The Autodiscover protocol allows client applications to retrieve the configuration information needed to communicate with the Exchange Server. It is used by Outlook, Exchange ActiveSync, and other Exchange Web Services (EWS) clients.
For example, the protocol is called when a user adds a new Exchange account to Microsoft Outlook. The user provides their email address and password, and Outlook uses Autodiscover to retrieve any other details needed to set up the client.
Last year, security researchers discovered a design flaw in the Autodiscover protocol that allowed attackers to collect domain credentials. Microsoft claims this upcoming change should help secure customers’ accounts and sensitive information.
Preparing for the deprecation of the Autodiscover protocol in Exchange Online
However, it is important to note that Microsoft is not deprecating the Autodiscover protocol itself. This release only removes the ability for users to authenticate to the protocol through insecure methods such as username and password.
“We will start immediately with the tenants who are not using Basic authentication at all in 2022, and in early 2023 (as Basic authentication for related protocols is permanently disabled), we will continue with everyone else. If you’ve re-enabled Basic authentication in your tenant, or taken the option to request more time, we’ll disable Basic authentication for Autodiscover after that extension expires. It will take a few weeks for this change to take effect. No tenant will be excluded,” explains the Exchange team.
Microsoft notes that customers cannot re-enable Autodiscover for end users in their tenants. The company recommends that IT admins plan their depreciation process to avoid workflow disruptions.