fbpx

Disable Basic Authentication for Exchange Online Protocols – Default Tenant Policy

Introduction

Basic authentication in Exchange Online uses a username and a password for authentication which are prone to brute force or password spray attacks. Blocking basic authentication helps protect your organisation by reducing this risk. When you disable basic authentication for Exchange Online protocols, users email clients and apps must support modern authentication or they will no longer be able to connect to Exchange Online.

We recommend you block basic authentication for Exchange Online protocols.

License Requirement

Any Exchange Online plan

User Impact

High
Users, Applications and Devices which are accessing Exchange Online with clients that do not support Modern Authentication will not be able to connect.

We highly recommend prior to turning this setting on that you check your tenant to ensure no accounts are logging in via Basic Authentication. The best way to do that is to log into the Azure Active Directory portal and navigate to “Sign-ins”.

Click on “Add Filter” and select the “Client-app” radio button and click apply.

Click on all of the apps listed under “Legacy Authentication Clients”

This will provide a list of all clients that are accessing the tenant and authenticating with basic authentication protocols.

Admin Portal Reference

  1. Navigate to https://portal.microsoft.com
  2. Click on Settings > Org settings
@ SettlngS 
Domains 
Search & intelligence 
I Org settings 
Integrated apps 
Partner relationships
  1. Click on Modern Authentication and unselect all basic authentication protocols.
Modern authentication 
view sign-IN purLdl 
Learn more about modern authentication 
Turn on modern authentication for Outlook 2013 for Wlndows and later 
(recommended) 
C) Beforeyouturn off basic authentication for protocols, viev-.' your sign-in reports in the 
Azure portal to make sure people in your organization aren't using them. 
Allow access to basic authentication protocols 
Outlook crient 
Includes Exchange Web Services. MAPI over HTTP, Offline Address Book and 
Outlook Anywhere protocols 
Exchange ActiveSync (EAS) 
used by some email clients on mobile devices. 
AUtodiscover 
used by Outlook and EAS clients to find and connect to mailboxes in Exchange 
Online. 
IMAp4 
used by IMAP email clients. 
POP3 
Used by POP email clients. 
Authenticated SMTP 
used by POP and IMAP clients to send email messages. 
Exchange Online PowerShell 
Used to connect to Exchange Online with remote PowerSheli. Learn more
  1. Click Save.

*This will not disable AllowBasicAuthReportingWebServices or AllowBasicAuthOutlookService

PowerShell Reference

If this setting is configured, and there is an existing default authentication policy which blocks all basic authentication, MSPMagic will not make any changes.

If there is no default authentication policy or the default authentication policy does not block all basic authentication, MSPMagic will create a new authentication policy named “MSPMagic: Disable Basic Authentication” and set it as the default authentication policy for the Tenant.

New-AuthenticationPolicy -Name “MSPMagic: Disable Basic Authentication

Set-OrganizationConfig -DefaultAuthenticationPolicy “MSPMagic: Disable Basic Authentication

Each Mailbox may also have their own Authentication policy assigned which will override the default authentication policy.

If Action is set to Notify

We report the setting is compliant if the default authentication policy is set to block basic authentication on all Exchange Online protocols.

We report the setting is non-compliant if the default authentication policy is not set to block basic authentication on all Exchange Online protocols.

If Action is set to Enforce

We report the setting is compliant if the default authentication policy is set to block basic authentication on all Exchange Online protocols.

We report the setting is compliant-fixed if the default authentication policy was not set to block basic authentication on all Exchange Online protocols but has now been set to do so.

Get Started!

The first three tenants are free! No credit card required.

Sign Up