Introduction #
Basic authentication in Exchange Online uses a username and a password for authentication which are prone to brute force or password spray attacks. Blocking basic authentication helps protect your organisation by reducing this risk. When you disable basic authentication for Exchange Online protocols, users email clients and apps must support modern authentication or they will no longer be able to connect to Exchange Online.
We recommend you block basic authentication for Exchange Online protocols.
License Requirement #
Any Exchange Online plan
User Impact #
High
Users, Applications and Devices which are accessing Exchange Online with clients that do not support Modern Authentication will not be able to connect.
We highly recommend prior to turning this setting on that you check your tenant to ensure no accounts are logging in via Basic Authentication. The best way to do that is to log into the Azure Active Directory portal and navigate to “Sign-ins”.
Click on “Add Filter” and select the “Client-app” radio button and click apply.
Click on all of the apps listed under “Legacy Authentication Clients”
This will provide a list of all clients that are accessing the tenant and authenticating with basic authentication protocols.
Admin Portal Reference #
- Navigate to https://portal.microsoft.com
- Click on Settings > Org settings
- Click on Modern Authentication and unselect all basic authentication protocols.
- Click Save.
*This will not disable AllowBasicAuthReportingWebServices or AllowBasicAuthOutlookService
PowerShell Reference #
If this setting is configured, and there is an existing default authentication policy which blocks all basic authentication, MSPMagic will not make any changes.
If there is no default authentication policy or the default authentication policy does not block all basic authentication, MSPMagic will create a new authentication policy named “MSPMagic: Disable Basic Authentication” and set it as the default authentication policy for the Tenant.
New-AuthenticationPolicy -Name “MSPMagic: Disable Basic Authentication“
Set-OrganizationConfig -DefaultAuthenticationPolicy “MSPMagic: Disable Basic Authentication“
Each Mailbox may also have their own Authentication policy assigned which will override the default authentication policy.
If Action is set to Notify #
We report the setting is compliant if the default authentication policy is set to block basic authentication on all Exchange Online protocols.
We report the setting is non-compliant if the default authentication policy is not set to block basic authentication on all Exchange Online protocols.
If Action is set to Enforce #
We report the setting is compliant if the default authentication policy is set to block basic authentication on all Exchange Online protocols.
We report the setting is compliant-fixed if the default authentication policy was not set to block basic authentication on all Exchange Online protocols but has now been set to do so.
