Microsoft Certification Based Authentication - MC316448

Question

I have received an email about the cert based auth from Microsoft

Now, I have a scenario where a couple of web apps are hosted on Windows servers. All the articles point to the changes for security defaults in Office 365 after March. I understand this is just for Exchange and other Microsoft apps.

I have the following queries regarding this security update:

1. Does this mean that the "Basic Authentication" feature in IIS will be deprecated?
2. How does this affect web apps which support multiple authentication methods? Basic, Windows and Azure AD?

Thank you

Answer 1

Basic Authentication relies on sending usernames and passwords -- often stored on or saved to the device -- with every request, increasing risk of attackers capturing users' credentials, particularly if not TLS protected.

1.Does this mean that the "Basic Authentication" feature in IIS will be deprecated?

Answer:-- As part of security defaults, Microsoft currently disable Basic Authentication by default for new customer and effective October 1, 2022, Microsoft begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth.

For more information you can follow this MS Document

2.ow does this affect web apps which support multiple authentication methods? Basic, Windows and Azure AD?

Answer:-- For multiple authentications, Basic Auth will be disable rest you can use. Here is an advantage and consider a secure way of auth is which was not possible using Basic Auth. If you have a Windows Active Directory environment—users can be automatically signed into web applications using their domain account. Other built-in security features include TLS certificate management and binding for enabling HTTPS and SFTP on your sites, request filtering for whitelisting or blacklisting traffic, authorization rules, request logging, and a rich set of FTP-specific security options.

You can also refer this Document for more information