Skip to main content

Microsoft has begun doing what they said they would do nearly two years ago—disabling basic authentication in 365. This is a welcome change for the security of Microsoft’s cloud-based applications and systems. Still, there could be effects from Microsoft’s disabling of basic authentication in 365 that users may need to prepare for and adjust to. For some users, their first question may be: what exactly is basic authentication? Even further, what security risks does basic authentication pose and how does this change affect the functionality and usability of 365? Read on to learn more.

What Is Basic Authentication and How Was It Used in 365?

Basic authentication, also called legacy authentication, is an industry-standard that used to widely used on servers and technology services. With basic authentication, when a user engages with an application, they’re prompted to enter their username and password. This is no different for 365.

Users would be prompted to enter a username and password when they requested to use 365. Additionally, at many organizations, it isn’t uncommon for a user’s username and password to even be stored on the user’s device for easier and quicker authentication.

Why Is Basic Authentication Being Removed?

Each time a request is made by the server, system, or application, a user’s login credentials are transmitted over the Internet. Basic authentication, while a convenience for users, could be a gold mine for hackers and a major risk to the security of your organization’s network.


Organizations that only require basic authentication for widespread use in their systems and applications are at risk of being exposed to data breaches. Any valuable organization information and, especially, personally identifiable information (PII) that’s stored on your systems could be obtained by hackers. This represents a huge security risk – and a risk that, if borne out, could expose your organization to significant liability.

Target for Hackers

Unauthorized and malicious actors can obtain access to your O365 account by grabbing your username and password credentials. Even worse, because many users often use the same credentials across multiple servers and applications, maligned actors can use these credentials to access users’ personal data and information elsewhere.

By disabling basic authentication in 365, users’ accounts will be more secure, and your systems and applications will be required to use stronger authentication protocols, such as modern authentication and multifactor authentication (MFA).

Speaking of MFA, basic authentication doesn’t support MFA. Some organizations have the more secure, MFA enabled on their systems and in their applications, including 365. But if these organizations also have basic authentication enabled, malicious actors can steal a user’s password via phishing or other hacking methods and can bypass the organization’s MFA controls entirely to breach the user’s email account.

What Will Be the Impact of Disabling Basic Authentication in 365?

Instead of requiring basic authentication, 365 will now require modern authentication. Modern authentication, dubbed OAuth 2.0, uses access tokens that are time-limited and not reusable.

If your systems and applications haven’t been adjusted to adapt to this change, users at your organization could face a rocky road filled with disruptions. Microsoft’s disabling of basic authentication – while it improves security — means that if your organization’s system or applications are using this protocol, they may no longer be functional. In a phrase, they won’t work.

What Should Companies Do Now?

The deadline for existing tenants to transition their organization’s operating systems and applications that use basic authentication is fast approaching: October 1, 2022. You should review your organization’s authentication protocols for your systems and the applications used by your organization users. This can be easily determined by obtaining a Sign-In report through Microsoft’s Azure Active Directory. If your organization’s systems and applications use basic authentication, you’ll need to have your IT professionals or managed service provider (MSP) enable modern authentication methods for use on your systems and in your applications.

Contact Cyber74

While Microsoft has disabled basic authentication in 365 for new tenants, many businesses still use this outdated protocol in other applications and their systems. This could be a risk to a business’ data and, ultimately, the security and health of their business. At Cyber74, we offer full cybersecurity solutions for your business needs. We can help assess the risks posed to your business’ security, like the use of basic authentication, and offer you the best solutions to mitigate those risks. Contact us for help securing your IT infrastructure.

Chardae Mobley

Chardae´ Mobley is a Technical Writer who strives to explain complicated concepts and technical information to general audiences. Her strengths are in technical writing, analysis, attention to detail, and project organization. She's also skilled in creating content for use in marketing with the goal of increasing traffic and sales through using search engine optimization techniques. Chardae` has frequently collaborated with subject matter experts in various industries, including technology, cybersecurity, and law. She also does volunteer work as a Content Strategist and Manager – developing and writing content for targeted use as technology-career resources and materials for veterans and military spouses.