Introduction #
Allowing basic authentication to SharePoint Online unnecessarily exposes it to a number of attacks and exploits that you can easily avoid by simply disabling basic authentication.
We recommend you disable basic authentication for SharePoint Online.
License Requirement #
Any SharePoint Online plan
User Impact #
High
Users, Applications and Devices which are accessing SharePoint Online with clients that do not support Modern Authentication will not be able to connect after basic authentication is disabled. Typically this includes older versions of Microsoft Office and PowerShell scripts.
We highly recommend prior to turning this setting on that you check your tenant to ensure no accounts are logging in via Basic Authentication. The best way to do that is to log into the Azure Active Directory portal and navigate to “Sign-ins”.
Click on “Add Filter” and select the “Client-app” radio button and click apply.
Click on all of the apps listed under “Legacy Authentication Clients”
This will provide a list of all clients that are accessing the tenant and authenticating with basic authentication protocols.
Parameters #
Enabled – true/false
Admin Portal Reference #
- From the SharePoint admin center
- Click on Policies -> Access Control -> Apps that don’t use modern authentication
PowerShell Reference #
To enable basic authentication
Set-SPOTenant -LegacyAuthProtocolsEnabled $trueTo disable basic authentication
Set-SPOTenant -LegacyAuthProtocolsEnabled $falseIf Action is set to Notify #
We report the setting as compliant if the setting matches the enabled value as set by the parameter.
We report the setting as non-compliant if the setting does not match the enabled value as set by the parameter.
If Action is set to Enforce #
We report the setting as compliant if the setting matches the enabled value as set by the parameter.
We report the setting as compliant-fixed if the setting does not match the enabled value as set by the parameter and we adjust it to match.
