VBO365 - Microsoft is already disabling Basic Authentication (Legacy Protocol)


Userlevel 7
Badge +6

It’s not big news that Microsoft is going to disable Basic Authentication in October 2022. Thanks to @Mildur we already know that :grin:

What I didn’t get at that time, Microsoft is already randomly disabling Basic Authentication for customers/tenants; of course only if Basic Authentication isn’t used at all.

The process is: We’ll randomly select customers with no usage in any, or all affected protocols, send them a Message Center post informing them that in 30 days we’re going to turn off Basic Auth. 30 days later, we’ll turn it off and send another Message Center post to confirm it was done. Customer protected... check!

https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-june-2021-update/ba-p/2454827

The Story

Not that bad if you don’t use Basic Authentication, but I did run into a problem with that. I was able to successfully setup Veeam Backup for Office365 with Legacy protocols (Publicfolders :disappointed_relieved: )and after a week it suddenly stopped working; all Authentication failed with HTTP 401 or HTTP 403. After not being able to find any problems I contacted Veeam support and received the link above.

So according to the FAQ you can check via the Exchange Online PowerShell if your affected :”Get-OrganizationConfig -BasicAuthBlockedApps”. And Bingo, the result was “255” which means that something happened to the Basic Protocols.

We’ve added a new org level parameter that can be set to turn Basic Auth on or off for individual protocols within a tenant. Admins can view the parameter (-BasicAuthBlockedApps) using Get-OrganizationConfig. It’s not something you can change, and the values we store in there aren’t very user friendly, but luckily Exchange Online knows how to read and enforce them. A value of Null there means we’ve not touched your tenant. A value other than Null means we have, and the diagnostic is the way to determine what is disabled there.

 

Re-Enable Basic Authentication

With the self-help diagnostic phrase “Diag: Enable Basic Auth in EXO” you should be able to re-enable the disabled protocols/authentication, but in our case it didn’t show up in the Microsoft 365 admin center. So Microsoft Support was the next contact. They’ve had to change/push something in the backend in order to let the self-help diagnostic appear. And after that we were able to enable Basic Authentication and Veeam Backup worked again :grinning:

If Microsoft decides to disable Basic Authentication for your tenant, you will receive a notification in the message center 30 days before they disable it. BUT! if during the 30 day windows you decided to use this authentication, it won’t stop the process and Microsoft will still proceed and disable it.

Final Note

One finale note, which I discovered in the blog post from @Mildur. Microsoft will start at the beginning of 2022 to disable Basic authentication for 12-48 hours, even if you use it. So if you start wondering why some Apps or VBO fail for a certain time, you will now know why :joy:

IMPORTANT: Beginning early 2022, we will selectively pick tenants and disable Basic Auth for all affected protocols except SMTP AUTH for a period of 12-48 hours. After this time, Basic Auth for these protocols will be re-enabled, if the tenant admin has not already re-enabled them using our self-service tools.

 


11 comments

Userlevel 7
Badge +6

Yeah, first tenant now with this issue :joy:

Same value “255”

I'm sure we'll see more and more in the next time, at least of you still need to go with legacy till October...😬

Userlevel 7
Badge +4

Yeah, first tenant now with this issue :joy:

Same value “255”

Userlevel 7
Badge +2

@MicoolPaulI’ll have to take it back...today it took 1-2h until the legacy authentication worked again after running the self-help diagnostic :rolling_eyes:

By the way, if found your blog post regarding the teams header and forwarded it internally; thanks for bringing it to our attention :wink:

Thanks @regnor and doubly so for the basic auth mention again, I’ve started telling every customer to expect bad times in the new year.

 

@Rick Vanover would Veeam consider a KB on this? I’m for seeing 2022 being littered with disruptive basic auth issues for Exchange 😩 and as we know it’s not yet possible for all functionality via modern auth only yet!

I will ask KB if a KB is fitting!

Userlevel 7
Badge +6

@MicoolPaulI’ll have to take it back...today it took 1-2h until the legacy authentication worked again after running the self-help diagnostic :rolling_eyes:

By the way, if found your blog post regarding the teams header and forwarded it internally; thanks for bringing it to our attention :wink:

Thanks @regnor and doubly so for the basic auth mention again, I’ve started telling every customer to expect bad times in the new year.

 

@Rick Vanover would Veeam consider a KB on this? I’m for seeing 2022 being littered with disruptive basic auth issues for Exchange 😩 and as we know it’s not yet possible for all functionality via modern auth only yet!

Userlevel 7
Badge +6

@MicoolPaul I’ll have to take it back...today it took 1-2h until the legacy authentication worked again after running the self-help diagnostic :rolling_eyes:

By the way, if found your blog post regarding the teams header and forwarded it internally; thanks for bringing it to our attention :wink:

Userlevel 7
Badge +6

@Nico Losschaert Well, they're announcing the change...but I'm not sure if every customer reads the blog posts from Microsoft, or, as in my case, reads all details 🤭 It would be a great idea to subscribe to the message center, but who can keep up with those huge amount of mails🤷‍♂️

@MicoolPaul It sounds like a joke, doesn't it?! But something positive, with the self-help diagnostics you can enable the authentication in just a few minutes; well if it shows up in the helpcenter…

Do you have any details on the Teams issue? I don't do much with it, but I couldn't find anything on it.

Userlevel 7
Badge +6

Thanks for sharing, that final note you mention is absolutely shocking @regnor, we talk about Microsoft having to provide SLAs of the service, but IMO this is SLA impacting. No news on how quick re-enabling basic auth will take either as these things can take hours.

 

They're doing this in the Unified Comms world too. Direct Routing with Teams will start to break next month unless you omit a specific header that they’ve allowed for years… Don’t they know that December should be a change freeze month!

Userlevel 7
Badge +5

Thx @regnor for this. Again, great from Microsoft :wink: : they think of something and just begin to change without the open communication in advance...

Userlevel 7
Badge +4

Thanks @regnor 

I have onboarded 2 customers today to our service. One with legacy protocols enabled (public folder). Luckily basic auth wasn‘t disabled yet.

Then better check the message center; or else you could get a surprise in a few days 😅

Yeah, i will check my backup jobs and the message center tomorrow.😂

Userlevel 7
Badge +6

Thanks @regnor 

I have onboarded 2 customers today to our service. One with legacy protocols enabled (public folder). Luckily basic auth wasn‘t disabled yet.

Then better check the message center; or else you could get a surprise in a few days 😅

Userlevel 7
Badge +4

Thanks @regnor 

I have onboarded 2 customers today to our service. One with legacy protocols enabled (public folder). Luckily basic auth wasn‘t disabled yet.

Comment