Closing Off Potential VulnerabilitiesĬlosing off basic authentication for Autodiscover will eliminate another potential vulnerability for attackers to exploit. Autodiscover will continue to function perfectly well, but only with connections that use modern authentication. With the deprecation of basic authentication for protocols like EAS and EWS, it doesn’t make sense to allow clients to continue sending username and password credentials to Autodiscover. Other Microsoft 365 services (like Teams) also consume Autodiscover, and it’s important to configure the service correctly to make sure that clients can find published services efficiently. Today, the range of clients that support Autodiscover includes the Outlook family, mobile email apps using Exchange ActiveSync (EAS), and apps using Exchange Web Services (EWS). The services include public folders, alternative (shared) mailboxes, the offline address book (OAB), and calendar free/busy (availability). Microsoft introduced Autodiscover in Exchange 2007 to help Outlook clients configure user profiles automatically by “discovering” the services Exchange offered to clients.
The November 16 announcement and November 17 message center notification (MC467901) both contain a simple message: using basic authentication for Autodiscover is unnecessary after email clients move to modern authentication, so Microsoft will disable basic authentication for the Autodiscover protocol. Next Step in the Fight Against Basic Authenticationįlush with the success of stopping millions of tenants from using basic authentication for email connectivity, Microsoft announced that Autodiscover is the next target in the process of removing basic authentication from Exchange Online. Turning off Basic Authentication Has an Effect.
DIY Deprecation for Autodiscover Basic Authentication.Ready, Steady, Bang for Autodiscover Basic Authentication.Next Step in the Fight Against Basic Authentication.
0 kommentar(er)
