VBO365 - Microsoft is already disabling Basic Authentication (Legacy Protocol)


Userlevel 7
Badge +12
  • On the path to Greatness
  • 1273 comments

It’s not big news that Microsoft is going to disable Basic Authentication in October 2022. Thanks to @Mildur we already know that :grin:

What I didn’t get at that time, Microsoft is already randomly disabling Basic Authentication for customers/tenants; of course only if Basic Authentication isn’t used at all.

The process is: We’ll randomly select customers with no usage in any, or all affected protocols, send them a Message Center post informing them that in 30 days we’re going to turn off Basic Auth. 30 days later, we’ll turn it off and send another Message Center post to confirm it was done. Customer protected... check!

https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-june-2021-update/ba-p/2454827

The Story

Not that bad if you don’t use Basic Authentication, but I did run into a problem with that. I was able to successfully setup Veeam Backup for Office365 with Legacy protocols (Publicfolders :disappointed_relieved: )and after a week it suddenly stopped working; all Authentication failed with HTTP 401 or HTTP 403. After not being able to find any problems I contacted Veeam support and received the link above.

So according to the FAQ you can check via the Exchange Online PowerShell if your affected :”Get-OrganizationConfig -BasicAuthBlockedApps”. And Bingo, the result was “255” which means that something happened to the Basic Protocols.

We’ve added a new org level parameter that can be set to turn Basic Auth on or off for individual protocols within a tenant. Admins can view the parameter (-BasicAuthBlockedApps) using Get-OrganizationConfig. It’s not something you can change, and the values we store in there aren’t very user friendly, but luckily Exchange Online knows how to read and enforce them. A value of Null there means we’ve not touched your tenant. A value other than Null means we have, and the diagnostic is the way to determine what is disabled there.

 

Re-Enable Basic Authentication

With the self-help diagnostic phrase “Diag: Enable Basic Auth in EXO” you should be able to re-enable the disabled protocols/authentication, but in our case it didn’t show up in the Microsoft 365 admin center. So Microsoft Support was the next contact. They’ve had to change/push something in the backend in order to let the self-help diagnostic appear. And after that we were able to enable Basic Authentication and Veeam Backup worked again :grinning:

If Microsoft decides to disable Basic Authentication for your tenant, you will receive a notification in the message center 30 days before they disable it. BUT! if during the 30 day windows you decided to use this authentication, it won’t stop the process and Microsoft will still proceed and disable it.

Final Note

One finale note, which I discovered in the blog post from @Mildur. Microsoft will start at the beginning of 2022 to disable Basic authentication for 12-48 hours, even if you use it. So if you start wondering why some Apps or VBO fail for a certain time, you will now know why :joy:

IMPORTANT: Beginning early 2022, we will selectively pick tenants and disable Basic Auth for all affected protocols except SMTP AUTH for a period of 12-48 hours. After this time, Basic Auth for these protocols will be re-enabled, if the tenant admin has not already re-enabled them using our self-service tools.

 


20 comments

Userlevel 7
Badge +12

Thanks @regnor 

I have onboarded 2 customers today to our service. One with legacy protocols enabled (public folder). Luckily basic auth wasn‘t disabled yet.

Userlevel 7
Badge +12

Thanks @regnor 

I have onboarded 2 customers today to our service. One with legacy protocols enabled (public folder). Luckily basic auth wasn‘t disabled yet.

Then better check the message center; or else you could get a surprise in a few days 😅

Userlevel 7
Badge +12

Thanks @regnor 

I have onboarded 2 customers today to our service. One with legacy protocols enabled (public folder). Luckily basic auth wasn‘t disabled yet.

Then better check the message center; or else you could get a surprise in a few days 😅

Yeah, i will check my backup jobs and the message center tomorrow.😂

Userlevel 7
Badge +11

Thx @regnor for this. Again, great from Microsoft :wink: : they think of something and just begin to change without the open communication in advance...

Userlevel 7
Badge +20

Thanks for sharing, that final note you mention is absolutely shocking @regnor, we talk about Microsoft having to provide SLAs of the service, but IMO this is SLA impacting. No news on how quick re-enabling basic auth will take either as these things can take hours.

 

They're doing this in the Unified Comms world too. Direct Routing with Teams will start to break next month unless you omit a specific header that they’ve allowed for years… Don’t they know that December should be a change freeze month!

Userlevel 7
Badge +12

@Nico Losschaert Well, they're announcing the change...but I'm not sure if every customer reads the blog posts from Microsoft, or, as in my case, reads all details 🤭 It would be a great idea to subscribe to the message center, but who can keep up with those huge amount of mails🤷‍♂️

@MicoolPaul It sounds like a joke, doesn't it?! But something positive, with the self-help diagnostics you can enable the authentication in just a few minutes; well if it shows up in the helpcenter…

Do you have any details on the Teams issue? I don't do much with it, but I couldn't find anything on it.

Userlevel 7
Badge +12

@MicoolPaul I’ll have to take it back...today it took 1-2h until the legacy authentication worked again after running the self-help diagnostic :rolling_eyes:

By the way, if found your blog post regarding the teams header and forwarded it internally; thanks for bringing it to our attention :wink:

Userlevel 7
Badge +20

@MicoolPaulI’ll have to take it back...today it took 1-2h until the legacy authentication worked again after running the self-help diagnostic :rolling_eyes:

By the way, if found your blog post regarding the teams header and forwarded it internally; thanks for bringing it to our attention :wink:

Thanks @regnor and doubly so for the basic auth mention again, I’ve started telling every customer to expect bad times in the new year.

 

@Rick Vanover would Veeam consider a KB on this? I’m for seeing 2022 being littered with disruptive basic auth issues for Exchange 😩 and as we know it’s not yet possible for all functionality via modern auth only yet!

Userlevel 7
Badge +10

@MicoolPaulI’ll have to take it back...today it took 1-2h until the legacy authentication worked again after running the self-help diagnostic :rolling_eyes:

By the way, if found your blog post regarding the teams header and forwarded it internally; thanks for bringing it to our attention :wink:

Thanks @regnor and doubly so for the basic auth mention again, I’ve started telling every customer to expect bad times in the new year.

 

@Rick Vanover would Veeam consider a KB on this? I’m for seeing 2022 being littered with disruptive basic auth issues for Exchange 😩 and as we know it’s not yet possible for all functionality via modern auth only yet!

I will ask KB if a KB is fitting!

Userlevel 7
Badge +12

Yeah, first tenant now with this issue :joy:

Same value “255”

Userlevel 7
Badge +12

Yeah, first tenant now with this issue :joy:

Same value “255”

I'm sure we'll see more and more in the next time, at least of you still need to go with legacy till October...😬

Userlevel 7
Badge +12

While I don’t want to push my own topic...today I’ve had the luck to experience one of those random cases where Microsoft disables basic authentication. The weekend backup was working and today the job ended with some HTTP 403; “Diag: Enable Basic Auth in EXO” showed that basic authentication had been disabled for the EXO powershell. Re-Enabled it and the backup was working again...🙄

Userlevel 7
Badge +20

Appreciate you sharing this @regnor its a pain that Microsoft is taking the chaos monkey approach to this, would be better if Microsoft respected that corporations aren’t play toys, if an organisation did this to Microsoft you bet they’d have legal involved for causing unnecessary interruption to BAU.

 

It honestly wouldn’t surprise me if there was an unwritten rule of no orgs more than X seat count to prevent upsetting the bigger companies, purely speculation, but it would make sense.

Userlevel 7
Badge +12

Sound possible. Microsoft sure doesn't want to mess with the big enterprises. 🤔

Userlevel 7
Badge +13

While I don’t want to push my own topic...today I’ve had the luck to experience one of those random cases where Microsoft disables basic authentication. The weekend backup was working and today the job ended with some HTTP 403; “Diag: Enable Basic Auth in EXO” showed that basic authentication had been disabled for the EXO powershell. Re-Enabled it and the backup was working again...🙄

Thanks for sharing your experience @regnor , we’ll see what gonna happen in next months...

Userlevel 7
Badge +12

Looks like Microsoft released a Microsoft Docs article 1 week ago about the upcoming changes to Basic Auth. I‘m not sure if it was available already, just found it yesterday.

 

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

 

Userlevel 7
Badge +20

Great spot @Mildur, one scan of that link shows how far reaching this is gonna be!

Userlevel 7
Badge +12

Thanks for sharing @Mildur.

This issue can be affected using Modern Authentication with Legacy Authentication Protocols?

Userlevel 7
Badge +12

@jcunha 

Yes. 

Legacy Auth is also called Basic Auth.

Comment