The Move to Modern Auth and Its Effect on Migrations

Last fall, Microsoft disabled one-source Basic Authentication (Basic Auth) for access to Exchange Online mailboxes. By the end of the year, that legacy authentication method – which has been in existence for more than 25 years – was forever disabled. Given the current state of cybersecurity threats, the move to something more secure is crucial. And that day has come. The replacement, Modern Authentication (Modern Auth), is more secure and provides a better user experience, given the distributed, federated nature of the modern web experience.

For the past two and a half decades, Basic Auth over the internet has sufficed. Barely. It was inherently insecure, relying only on a username and password to authenticate every separate server. Things improved with two-factor authentication, but Microsoft recognized the high risk associated with this legacy protocol and has, for the past several years, pushed for a shift to a more secure form of Modern Authentication.

Modern Auth still requires usernames and passwords as the first line of establishing identity, but it minimizes the number of times those credentials are exchanged or stored on separate servers with the use of tokens. It’s a significantly more secure way of confirming the identity of a user while verifying that they are authorized to access applications and resources.

Modern Auth leverages ADAL to enable applications to support a variety of sign-in capabilities, including smart card+certificate-based authentication. Notably, it supports two-factor/multi-factor authentication (2FA/MFA), which allows additional authentication factors to further establish the user’s identity.

See also: Interest in Zero Trust Explodes with Cloud Migration

A Change is Coming…And It Might Hurt

The use of the internet and cloud services has evolved in ways that Basic Auth could never have anticipated. That said, any change from a legacy standard to a more robust, modern one will involve some pain.

Modern Auth has major advantages, for which Microsoft has been banging the gong for several years. Users get a single-sign-on experience when they access multiple resources that are related – an experience that they naturally expect. Modern Auth also supports additional, extended methods for confirming user identity – especially when accessing from locations or devices that are new for that user – making it a vital tool for defending against phishing attacks that can lead to account takeovers, business email compromise, and ransomware attacks. And so much more.

Modern Auth is different from Basic Auth in several key ways. Modern Auth typically uses open standards, such as OAuth or OpenID Connect, which are more secure and flexible than the simple username-and-password approach used in Basic Auth. It also provides single sign-on and multi-factor authentication capabilities, which are not available in Basic Auth. Modern Auth also allows users to access protected resources or services using a variety of devices and platforms and enables developers to implement custom authentication flows and policies. In contrast, Basic Auth is limited to simple authentication scenarios and is less secure and flexible than Modern Auth. 

Deprecating and disabling Basic Auth in favor of Modern Auth will take some time and patience. Initially, some things won’t work properly, including third-party software applications that rely on Microsoft’s tenant for Basic Auth to run as intended. Once pieces are removed, there will be breakage. Microsoft has been pushing the move for some time and finally had to simply rip the Band-Aid off, inflaming a lot of skinned knees. But in the end, Basic Authentication no longer had the muscle to guarantee security.

Some workloads and tenants, like Exchange Email and other mail products, including archive mail (but not so much traditional SMTP mail protocol), will be significantly affected. Others, such as Teams, SharePoint, and OneDrive, have already moved to Modern Authentication, so there are no issues there.

See also: Cloud Security 101: Overcoming User Level Misconfiguration

In the Hands of IT Pros

But there are steps IT pros should be taking to pave the way for a smoother transition. Communication is key. This changeover will not necessarily affect everyday users, who’ve gradually become more acclimated to it via the increasingly prevalent two-factor authentication. It will be increasingly incumbent on IT teams to communicate openly and honestly about what’s happening, what the transition looks like, and what it means. It’s more about IT professionals needing to update systems and making sure everything is running properly so that the tenant can communicate back and forth.

It does beg the question as to whether all migration tools support Modern Auth. The answer is simply no. Some tools will be left by the wayside because the technical debt for them will be too great. If they decide supporting Modern Auth is too great an expense, companies will simply cut their losses and move on. Typically, these are organizations that have multiple business units and ventures, such as cybersecurity or backup, cloud backup, and the like.

It’s safe to say that 20% to 30% of lower-tier companies that are not generating enough revenue will not make it through the cut. The larger players who dominate this space and who basically acquire independent migration tool companies to build bigger portfolios of those organizations will update their protocols to make this work. They will likely cut their migration tools loose and move to a different business model.

As a result, IT professionals should re-evaluate current licenses and double-check that their migration solutions support Modern Auth. If they don’t, professionals should research and adopt a migration tool that does. By adopting a migration tool that supports Modern Auth, major setbacks can be avoided during a migration.

Deploying Modern Auth: The Migration Obstacles

Appropriately planning for this next transition phase is critical. With the impending deadline, in six months or even a year, the global transition will have occurred, and many organizations will be done with it. But if you’re planning an Exchange Online migration and you have not done it since Microsoft implemented this change, allow extra time to make sure your source and destination are where they need to be.

Ensure that all your planning stages have been thoroughly outlined to certify that you are on track to execute the cut-over and avoid any issues and problems. Plan early, do the necessary due diligence, and make sure that everything is set up for success.

Even with good planning, migration obstacles will still exist, including tools not working and issues with migrating pieces and destinations not accepting the new data. Ensure that the Modern Authentication is installed at both ends and that your specific migration tool or tools are able to connect to both the source and destination. It will be a key aspect of moving that data.

Currently (after December 31, 2022), all bets are off for a short-term retro-use of Basic Authentication. For some tools, there can be a set number of steps to enter into advanced options to ensure they are checked and enabled. As long as they are enabled, those aspects of migration should operate as prescribed.

The death – hopefully quickly – of Basic Authentication has been coming for a number of years, and the rise of Modern Authentication is widely heralded as necessary and welcome for migration vitality and security. Essentially it’s an arms race for that security as we up the ante for the future. Getting through the Band-Aid moment will hurt, but when it’s done, the healing will start, hopefully signaling a new era of usernames, passwords, and tokens, new security technologies like thumb readers and facial recognition already showing up on various devices, and other innovations. It’s a significant step toward making all our data and migrations more secure.