CISA Recommends Immediate Action for Microsoft Exchange Online Users

Federal agencies have just three months before their ability to comply with an executive order on cybersecurity while using Microsoft Exchange Online—the company’s cloud-based mail service—expires, the Cybersecurity and Infrastructure Security Agency said, recommending immediate action. 

“CISA has released guidance on switching from Basic Authentication (“Basic Auth”) in Microsoft Exchange Online to Modern Authentication ("Modern Auth") before Microsoft begins permanently disabling Basic Auth on October 1, 2022,” the agency wrote in a release through the National Cyber Awareness System. “Basic Auth is a legacy authentication method that does not support multifactor authentication, which is a requirement for federal civilian executive branch agencies per Executive Order 14028, “Improving the Nation’s Cybersecurity.”

The agency linked to the guidance as well as Microsoft publications on the coming depreciation of the current system. 

“Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth,” CISA said, recommending immediate action for all organizations. “After completing the migration to Modern Auth, agencies should block Basic Auth. Basic Auth is most likely used by legacy applications or custom-built business applications. Many user-facing applications, such as Outlook Desktop and Outlook Mobile App, have already been moved to Modern Auth by agency implementation of Microsoft security updates.”