Office 365, Exchange Online Basic Authentication vs. Modern Authentication
Most logins to Microsoft Office 365 services require direct authentication to NetID Login. However, some clients/protocols use basic authentication. With basic authentication (also called proxy authentication), the email client transmits the username and password to Office 365, and Office 365 forwards the provided credentials to NetID Login. This article answers general questions about Basic Authentication versus Modern Authentication.
With basic authentication, your email/calendar client will transmit your username and password directly to Office 365 services (such as Exchange Online). Office 365 will then forward your credentials to the campus Active Directory on your behalf, which will verify the credentials and return a token to Office 365. If authentication was successful and the user is authorized, the email/calendar client will be connected to Office 365.
IMAP, POP, and SMTP protocols generally require basic authentication, and do not support modern authentication. If you're using an IMAP client, login is completed via basic authentication. Office 365 allows for either basic or modern authentication with Exchange Web Services (EWS) and Exchange ActiveSync (EAS). Depending on support within your email/calendar client, you may be required to use basic authentication to use EWS or EAS.
Basic authentication in Office 365 is less secure for multiple reasons:
1. If your credentials (NetID username and password) are compromised, they can be used to access your mailbox or to send email from your account. Since basic authentication is not protected by multi-factor authentication, even those enrolled in Duo MFA are at risk.
2. Even if an account is protected by Duo MFA and all basic-auth capable protocols are disabled, Office 365 basic authentication can be used to verify usernames and passwords via credential stuffing, brute force and password spray attacks. If verified, then the credentials can be used to access other systems/services.
Microsoft has already discontinued support for basic authentication with Outlook REST API. Microsoft has announced an end of support for basic authentication with EWS, EAS, POP, IMAP, Remote PowerShell (RPS) in the second half of 2022.
On August 1st, 2022, Technology Services will disable the remaining Basic Authentication protocols currently in use on campus.
Modern authentication is what Microsoft calls its implementation of the OAuth2 authorization framework, which permits federated and tokenized web-based sign-in to Office 365. If your email/calendar client is configured to use modern authentication, your credentials are not sent directly to Office 365 applications (such as Exchange Online). Instead, you'll be redirected to the familiar Illinois login page. If your account is protected by Duo MFA, you will be required to confirm your login with a second factor. Your client may maintain a connection to Office 365 with an OAuth2 token, which allows bypassing a login each time you use the client.
A modern, updated Microsoft Outlook client is recommended for the best performance and experience with Microsoft Exchange and will utilize the latest protocols.The following clients are capable of authenticating to Office 365 Exchange Online with modern authentication:
Supported by Technology Services Exchange Team
Outlook on the web (OWA)
Outlook for Windows (current version)
Outlook for Mac (current version)
Outlook App for Android
Outlook App for iOS version 10.x and greater
Mail app on iOS 11.x+
Mail app on Mac OS 10.14 (Mojave) and later
Not Officially Supported by Technology Services, but will work with OAuth2 Modern Authentication:
Thunderbird Latest version (78.3.2 and later)
Native Android Mail on Android 10 and above
Aquamail on Android
BlueMail on Android
Many Android and iOS applications also support modern authentication but are too numerous to list here.