AutoDiscover Archives

Microsoft Turns Off Basic Authentication for Autodiscover

Post author:By Tony Redmond

Now that they've disabled basic authentication for email connection protocols, Microsoft is doing the same for the Autodiscover service. This makes sense. There's no point in allowing basic authentication for Autodiscover when clients can't use basic authentication to connect. Microsoft will therefore turn off basic authentication for Autodiscover as it removes basic authentication for protocols like POP3, EAS, IMAP4, EWS, and MAPI.

Exchange Online

November 18, 2022

Make Sure Your Implementation of Autodiscover Avoids Common Pitfalls

Post author:By James Yip

This article explains the importance of deploying Autodiscover correctly to ensure that all of Microsoft 365 works, including Exchange Online.

Blog

September 14, 2022

Researcher Says Autodiscover Problem is Client-Side, Not in Exchange

Post author:By Tony Redmond

An interesting and worthwhile interview (available on YouTube) with security researcher Amit Serper reveals a lot more detail about the Autodiscover credential leak reported by Guardicore last month. The interview (with three Office 365 MVPs) goes through the collection of leaked credentials, how Serper tried to reproduce the problem, and his interaction with Microsoft. It’s a real pity Serper didn’t include the information in his original report as it would have taken a lot of heat out of the situation.

Blog

October 12, 2021

Why a Potential Autodiscover Flaw is Just the Tip of an Iceberg

Post author:By Steve Goodman

It's often helpful when security researchers like Guardicore shed light on flaws in Microsoft Exchange - however, the Autodiscover protocol isn't flawed in the way they describe. Even though the issue is hard to replicate, it shouldn't distract from the work you need to do to protect your organization from the underlying reason why people want your credentials.

Blog

September 28, 2021

13 Comments

Hot Air and Publicity for Purported Autodiscover Security Flaw

Post author:By Tony Redmond

Lots of excitement was generated when Guardicore revealed a purported vulnerability with the Exchange Autodiscover service. However, the almost total lack of detail about the configuration used for testing and to generate the reported results makes it impossible for Exchange administrators to check the theory against their own deployment. I don't think a problem exists with Exchange Online, but it's possible that poor DNS practice or flawed third-party clients could cause an issue with on-premises servers. The case remains to be proved.