Microsoft disabling Basic Authentication: How private equity can protect their portfolios

Microsoft announced earlier this year that, effective Oct. 1, 2022, Basic Authentication for Outlook, Exchange Web Services, Remote PowerShell, POP, IMAP, and Exchange ActiveSync protocols will be fully disabled. Additionally, SMTP Authentication will also be deactivated if not utilized in the Microsoft 365 tenant. 

Moving away from basic authentication with have a vast impact on the private equity space. As many portfolio companies may be reliant on legacy protocols with unique technical infrastructures, it’s important for private equity companies to know where to focus time, resources, and investments while upgrading to modern authentication. 

Companies will see a direct impact as modern authentication will improve a company's security posture to protect their data and assets by limiting potential for data breaches and business email compromise attacks. 

What the disabling means for portfolio companies and cybersecurity 

While previously a Microsoft standard, basic authentication has been replaced in favor of modern authentication methods. With legacy authentication, any request is an opportunity for a threat actor to perform credential theft. We know that portfolio companies are especially vulnerable to these types of attacks because they often have lower cyber security maturity.  

Basic Authentication methods send usernames and passwords in cleartext, utilizing weak or unencrypted transport layer security protocols. Microsoft is forcing organizations to upgrade to Modern Authentication for stronger security—but the transition comes with significant challenges. 

It’s fair to wonder how far-ranging and disruptive this deprecation will be. 

Utilizing Intellio® Insights platform, we’ve discovered that: 

• 72% of clients have some form of Legacy Authentication Protocols enabled  
• The remaining 28% of clients that are reliant on Legacy Authentication Protocols worked to upgrade affected systems to Modern Authentication—and half of those utilized some form of exceptions to keep Basic Authentication in place 

It’s important to note that systems, service accounts, and applications relying on legacy protocols will immediately cease to operate the moment Microsoft flips the switch—even if all exceptions are in place. This includes line of business applications such as email, scanners, printers, and other systems which may be imperative to essential business functions. 

Varying and unique technical infrastructures among portfolio companies may require varied solutions, which can quickly add up when considering the size of a portfolio, cybersecurity maturity, and reliance on legacy protocols. 

How to protect your portfolio company from cyberattacks 

West Monroe has worked in recent months with our industry partners to establish go-forward plans for our private equity and portfolio company clients to improve security postures and reduce organizational disruptions. 

This includes: 

• Hardening Microsoft 365 and Azure environments for impending deprecation of protocols 
• Integrated new services, features, and security licensing to identify potential compromises resulting from abuse of legacy protocols  
• Remediated gaps in coverage and identified malicious activity resulting from misconfigurations   

In the coming weeks, private equity firms and portfolio companies should identify and plan for the disruption that deprecation will have on their business. We recommend taking the following actions to protect your organization:  

• Clients should inventory all systems, service accounts, scripts, and business applications reliant on Legacy Authentication Protocols in order to function 
• Upgrade all affected clients to support Modern Authentication Protocols  
• Communicate potential impacts to end users