Disable Basic Authentication

Updated: Jul 8

Hello all, so in this blog, I will be explaining in a shot what is basic authentication and Modern Authentication and how to enable Modern authentication and Disable basic Authentication.


What is Basic Authentication?


Basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a username and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials are the Base64 encoding of ID and password joined by a single colon:

Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device.


Why Basic authentication is getting depreciated?


Basic Authentication makes it easier for attackers to capture-user credentials which increases the risk of those stolen credentials being reused against other endpoints or services, the enforcement of MFA is not possible or won’t work when basic authentication is enabled. The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are clear:

  • More than 99 percent of password spray attacks use legacy authentication protocols

  • More than 97 percent of credential stuffing attacks use legacy authentication

  • Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled

Single-factor authentication (for example, username and password) is not enough these days. Passwords are bad as they are easy to guess, and we (humans) are bad at choosing good passwords. Passwords are also vulnerable to various attacks, like phishing and password spray. One of the easiest things you can do to protect against password threats is to implement Multi-Factor Authentication (MFA).


The most important dates connected to disabling basic authentication are as follows.

October 22, 2019 Security Defaults are now turned on by default for all new users. Security Defaults block all legacy authentication protocols.
October 13, 2020 the initial date for disabling basic authentication in Exchange Online for all tenants. (Postponed)
October 2020 basic auth will be disabled for tenants which do not effectively use it.
Second half of 2021 that’s when basic authentication will be disabled for all tenants. More precise date is yet to be announced. (Postponed)
February 2021 Microsoft announces that basic authentication will not be blocked for now for any protocols that a tenant is using. However, basic auth will be blocked for the unused protocols, with a warning issued 30 days beforehand in the Microsoft 365 Message Center in your tenant.
October 2022 the complete shutdown of basic authentication for connections to Exchange Online, announced in September 2021. That should be more than enough to tie up all the loose ends.

Impact on organization and users


Each app, program, or service that connects to Microsoft 365, needs to authenticate itself. Once basic authentication is disabled, all applications which use this legacy authentication protocol to access Exchange Online will stop working. You need to take some action if anyone in your company still uses:

Outlook 2010 and older with basic authentication disabled, those email clients will be unable to connect to Microsoft 365.
Outlook 2013 enabling OAuth in Outlook 2013 requires some changes to be made in the registry.
Outlook 2011 for Mac just as in the case of Outlook 2010, it does not support modern authentication.
Remote PowerShell you will need to use the modern Exchange Online module V2 . If you have any unattended scripts in which you use basic authentication to establish a connection to Exchange Online, they will stop working.
Any third-party app, add-in or mobile email client which doesn’t support modern authentication for example Native Email client of iOS

Some tenants may already be qualified for disabling basic authentication. In some cases, IT departments will need to update or upgrade software on multiple workstations.


The bottom line is that any Microsoft 365 administrator should prepare for the upcoming changes. If you were never interested in how authentication works, now is the time to take a quick look at some of the key differences between basic and modern authentication.


What is Modern Authentication?


Modern Authentication is based on ADAL (Active Directory Authentication Library) and OAuth 2.0 protocols, in this case, the application doesn’t store or use user credentials and authentication is based on time-limited tokens and modern auth support MFA. The modern authentication sign-in window looks like this

Modern Authentication is not a single authentication method, but instead a category of several different protocols that aim to enhance the security posture of cloud-based resources. Some examples of Modern Authentication protocols are SAML, WS-Federation, and OAuth. While each is different in its execution, they all aim to move away from the classic username\password method and instead rely on token-based claims. So, while the user may still provide a username and password (for now; see more below), it is used to authenticate with an identity provider to generate a token for access. This token has more specific information (in the form of a claim) that specifies what the requestor does and does not have access to. Tokens also expire and can be revoked, so there is more ability to govern access.


Modern Authentication in Outlook 365/2019/2016/2013/2010


Please note the specifics of support for modern authentication in different Outlook versions:

Outlook 2010 and earlier – don’t support Modern Auth. If Basic Auth is disabled in the tenant settings, these versions of Outlook won’t be able to connect to Exchange Online mailboxes on Microsoft 365.
Outlook 2013 – to support OAuth, you need to set two registry parameters under the key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Identity (EnableADAL = 1 and Version = 1.
Outlook 365, 2019, 2016 – modern authentication is supported by default. In order to always use Modern Auth first, set the AlwaysUseMSOAuthForAutoDiscover = 1 under the reg key HKEY_CURRENT_USER\Software\Microsoft\Exchange (if this option is not enabled, Outlook may continually prompt for the password to connect).

Enable Modern Authentication in Microsoft 365 Tenant


Modern auth can be enabled through Microsoft Admin center for the tenant,

Step 1: Sign in to M365 Admin Portal


Step 2: Navigate to Settings -> Org Settings -> Select Modern Authentication



By Default ModernAuthentication is enabled for the tenant if not Select the option Turn on modern authentication for Outlook 2013 for Windows and later (recommended) and save


Several options under Allow access to basic authentication protocols. Here are the various applications where you can enable and Disable Basic Authentication.

  • Outlook client

  • Exchange ActiveSync (EAS)

  • Autodiscover

  • IMAP4

  • POP3

  • Authenticated SMTP (example of SMTP authentication from telnet)

  • Exchange Online PowerShell — (Basic Authentication is not supported for modern EXOv2 PowerShell Module)

Disable Basic Authentication for all apps and protocols that don’t need it.


Note: If Security defaults are enabled in Azure be default Modern Authentication is used you can enable Modern Authentication in the M365 Admin center if Security Defaults are in the disabled state


Enable Modern Authentication Using PowerShell


You can use Powershell commands to enable modern authentication for your tenant.


Connect to Exchange Online using the below command in PowerShell

PS C:\Users\Anand> Connect-Exchangeonline

Provide the account to authenticate, in my case it's already authenticated so I select the account anand.p@cloudtekspace.com













Once authenticated successfully, you will get a response like below

Now It's connected to Exchange Online

Using the below PS command you can identify if Modern authentication is enabled or not

PS C:\Users\Anand> Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

If you get a response value as True then Modern Authentication is Enabled for the tenant and if the value is False Modern Authentication is Disabled

If the value is False

You can use the below PS command to enable Modern Authentication

PS C:\Users\Anand> Set-OrganizationConfig -OAuth2ClientProfileEnabled $True

There are different methods to disable basic authentication


Enable Security defaults in Azure


If you have enabled Security Defaults in your tenant or Org, basic authentication is already disabled and all the authentication happens through Modern Authentication.


Navigate to Azure AD Portal -> Properties ->Manage Security defaults -> Move to Yes on Enable security defaults -> tap on Save

Note: If you have custom conditional access policies for your tenant to manage security then the option can’t be enabled

First Method: Disable Services per mailbox in M365


This method includes ease of implementation and no additional license required. However, it is important to note that rather than disabling basic authentication, we are simply disabling legacy or extraneous services that are no longer needed (especially POP and IMAP which only support basic authentication)


Step 1: Sign in to M365 Admin Center Portal -> Select a user account -> Navigate to the Mail tab and select the option Manage email apps

Step 2: From here turn off any legacy protocols that you know are not (or should not be) in use, such as POP, IMAP, etc. In the example below I’ve even disabled Exchange web services, Mobile (Exchange ActiveSync), IMAP, POP, and Authentication SMTP, unselect the services and tap on Save changes


Disable Services per mailbox using PowerShell


You can use PowerShell to disable the services per mailbox using the Set-CasMailbox command for each mailbox’s


Connect to Exchange Online as I mentioned previously in this blog

To get the mailbox services details use Get-CASMailbox "Mailbox UPN"
PS C:\Users\Anand> Get-CASMailbox AlexW@xdy0y.onmicrosoft.com

Name  ActiveSyncEnabled OWAEnabled PopEnabled ImapEnabled MapiEnabled SmtpClientAuthenticationDisabled
----  ----------------- ---------- ---------- ----------- ----------- --------------------------------
AlexW True              True       False      False       True        True

This will collect the current status of each service on the mailbox


Use Set-CASMailbox "Mailbox UPN" select the service you want to disable with $false value
PS C:\Users\Anand> Set-CASMailbox AlexW@xdy0y.onmicrosoft.com -ActiveSyncEnabled $false

Here I disabled ActiveSyncEnabled by setting the value to false


We will use the get command to check the service

PS C:\Users\Anand> Get-CASMailbox AlexW@xdy0y.onmicrosoft.com

Name  ActiveSyncEnabled OWAEnabled PopEnabled ImapEnabled MapiEnabled SmtpClientAuthenticationDisabled
----  ----------------- ---------- ---------- ----------- ----------- --------------------------------
AlexW False             True       False      False       True        True

You can see ActiveSyncEnabled is set to False which means the service is disabled for the mailbox


Second Method: Disable Basic Authentication Using Authentication Policy


You can create an authentication policy to disable Basic authentication in your tenant, using the policy it’s easy to disable or enable basic authentication for a set of users or a single user. How to create one, you can use New-AuthenticationPolicy -Name <Policy Name> for example I had given Basic Block


Connect to Exchange Online as I mentioned previously in this blog


Create a new authentication policy

PS C:\Users\Anand> New-AuthenticationPolicy -Name "Block Basic"

You can see the Basic Authentication is disabled by default you can use this authentication policy for each user, list of user


Modify Authentication Policy


You can modify the Authentication policy, for example, if you want to Allow basic authentication for Imap you can use the below PowerShell command

Set-AuthenticationPolicy -Identity "Block Basic" -AllowBasicAuthImap:$True

You can see AllowBasic authentication for IMAP is set to true now which means Basic authentication is enabled for IMAP ( This is just an example, it is not recommended to use Basic Authentication )


How to set Authentication Policy for Per USer


You can use the ps command to set the policy on a user

 Set-User -Identity AdeleV@xdy0y.onmicrosoft.com -AuthenticationPolicy "Block basic"

This will set the policy for the user account and if the user provides the correct username and password user will get an error like

When an authentication policy is set on a user account it will take 24 hours to refresh the token, to apply the policy immediately within 30 minutes you can refresh the token

Set-User -Identity AdeleV@xdy0y.onmicrosoft.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

Use a list of specific user accounts


This method requires a text file to identify the user accounts. The text file must contain one user account on each line, the values shouldn't have any space.

AlexW@xdy0y.onmicrosoft.com
DiegoS@xdy0y.onmicrosoft.com
HenriettaM@xdy0y.onmicrosoft.com

Save the file as Userslist.txt and run the below ps command

$BlockBA = Get-Content "C:\Users\Anand\Desktop\Blog\UsersList.txt"
$BlockBA | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Basic"}

This will set the authentication policy on all the users in the list, and change the file path as per your saved location.

To Refresh the Token

$BlockBA | foreach {Set-User -Identity $_ -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)}

How to identify the users who are part of the authentication policy, sometimes we might need to check the users for whom the policy is assigned, use Get-User followed by authentication policies DistinguishedName

Get-User -Filter "AuthenticationPolicy -eq 'CN=Block Basic,CN=Auth Policies,CN=Configuration,CN=xdy0y.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR19A009,DC=PROD,DC=OUTLOOK,DC=COM'"

This will get all the users under the Authentication policy


Set the authentication Policy as Default


Set Block Basic as the default authentication Policy

Set-OrganizationConfig -DefaultAuthenticationPolicy"Block Basic"

This will set the authentication policy as the default to verify this use

Get-OrganizationConfig | Format-Table DefaultAuthenticationPolicy

For more PowerShell command lists for Authentication Policy, you can refer Link


Third Method: Conditional Access


You need any one of the below license to use Conditional Access Polices

  1. Azure AD Premium P1

  2. Azure AD Premium P2

  3. Microsoft 365 Business Premium licenses

and any of of the below roles

  1. Global administrator

  2. Security administrator

  3. Conditional Access administrator

With conditional access its easy to block basic authentication to all users and cloud apps.

Step 1: Check if we have proper license for the tenant to use conditional access, Login to Azure AD Portal navigate to Azure Active Directory > Overview. In the example, there is an Azure AD Premium P2 license.



Step 2: Create a new Conditional Access Policy to force block basic authentication for all users or a group of users and all cloud apps. It is recommended to block basic authentication for all users. From Azure AD portal navigate to Security -> Select Conditional Access




Step 3: Tap on New Policy and Select Create new policy

Type a policy name in my case I used Bloack basic Authentictaion


Step 4: Select the Assignments, in my case I had included All Users and Excluded Specific user (you shouldn't get locked yourself when selecting all users, I had excluded Glass Break account from the policy for a safer side)


Step 5 : Tap on Cloud Apps -> select All Cloud Apps in Include, we can select specific cloud apps but for now I had selected all cloud apps to block basic authentication


Step 6: Select Conditions -> Tap on Client Apps -> toggle to Yes under Configure and select only Exchaneg Active sync and Other Clients and tap Done



Step 7: Selelct Grant to define the action for the policy to block basic authentication we select Block Access


Step 8: Enable the policy, to enable the policy toggle the bar to On, from Report, if its in Report the condtitonal access will report the users affected by the policy


Once the conditional Access policy is created you can see the policy under Conditional Access Tab


Conclusion

In this article, you learned how to disable basic authentication using, Autnetication Policy, Per user mailbox, using PowerShell commands and Conditional Access. It’s essential to create the policy and secure the organization from attacks. If some applications or printers need to connect with basic authentication, you can add the users in the exclude group or add the location to the exclusion list. That way, they can still use basic authentication.

If you like this article, you may also like Identify Basic Authentication in this article i had explained how to identify users who are using Basic Authentication in your tenant.


Reference

https://docs.microsoft.com/en-in/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online






293 views0 comments

Recent Posts

See All