Microsoft last year said that it was putting off the next version of Exchange Server until the second half of 2025 so engineers could continue bulking up the security of a product that has become a popular target of cybercriminals.
In the meantime, Redmond is turning its attention to keeping its current Exchange Server 2019 offering as secure as possible. Right now that means transitioning purely on-premises environments from Basic Authentication to Auth 2.0, also known as Modern Authentication, or Modern Auth.
While this move is aimed at Exchange Server 2019, “customers who have backend servers running Exchange Server 2016 CU23 are also supported for Modern auth (provided Exchange Server 2019 CU13 exists and is front ending the client traffic in the environment, and the correct Outlook version is in use),” Microsoft’s Exchange Team wrote this month.
Microsoft for several years has been bringing Modern Auth to various customer-facing applications in its portfolio, including Exchange Online, Outlook Desktop, and Outlook Mobile App. With the next version still two years away, Exchange Server is up next.
Basic Auth is a legacy authentication method that involves sending credentials in plain text to systems and often is offered by default. It also doesn’t support more modern authentication methods, such as multi-factor authentication (MFA).
Basic Auth no longer cuts it
For Exchange Server users, this is a problem. The system tends to hold a lot of valuable and sensitive corporate information and has been widely adopted over the years. In addition, many of them are unpatched, which makes them vulnerable to cyberattacks. Microsoft over the years has urged enterprises to patch and harden their Exchange Servers by installing cumulative and security updates.
Redmond a few years ago laid out plans to bring Modern Auth to cloud-only and hybrid Exchange Server environments, but in 2019 said it wouldn’t support it for on-premises-only environments. However, the Windows giant reversed that decision last year when it announced it was delaying the next version of Exchange Server.
The shift to Modern Auth in Exchange Server 2019 will come in stages. Microsoft is supporting Auth 2.0 for Outlook on Windows in Exchange Server 2019 now via Active Directory Federations Service (ADFS), a form of Modern Auth that acts as an on-premises security token service (STS).
Support for other Outlook clients – including macOS, Android, and iOS – will come later in the year. Outlook on the web and ECP (enhanced client or proxy) already support claims-based authentication with ADFS.
“This enables you to use stronger authentication features like MFA, smart cards and cert-based auth, and third-party security identity providers,” the Exchange Team wrote. “While the direct use of a 3rd party identity provider as an STS is not supported, it can be used in conjunction with ADFS.”
IT admins can learn how to enable and disable Modern Auth here.
The need for Modern Auth is growing
Modern Auth is an umbrella term for authentication methods as those mentioned earlier and is being increasingly embraced as miscreants sharpen their efforts to compromise IT environments by stealing credentials and similar information.
The need for newer authentication methods is growing as more people work remotely and organizations continue to migrate to the cloud, according to the IEEE Computer Society, which says Modern Auth is key to identity and access management (IAM) controls and foundational to emerging zero-trust architectures.
Verizon in its Data Breach Investigations Report last year said 82 percent of security breaches in 2021 were due to stolen credentials, phishing attacks, and human error, driving the need for Modern Auth methods and fueling the push to replace usernames and passwords with other verification tools, such as passkeys, which are being supported by vendors like Google and Apple.
In an advisory [PDF] last year, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) said federal agencies like the Federal Trade Commission, Federal Communications Commission, and the Homeland Security and Justice departments should migrate off Basic Auth and urged private organizations to follow suit. ®