Identify Basic Authentication

Updated: Jul 8

In this article, I will explain how to identify users using basic authentication in your organization and methods to block them, what is Modern Authentication how it will help to secure the environment and how this works for O365 and how this can be enabled for the O365


What is Basic Authentication

Basic Authentication based on where credentials are the base64 encoding of id and password joined by a single colon: is similar to a username and password is provided every time for a request made by the client, that means the client will pass the user name and password with every request which makes easier for attackers to get the user’s credential and it is porn to Password spray attack because it uses a simple HTTP login method to get authenticated.

This is what the login looks like, very familiar, right?

How to Identify users using Basic Authentication Against Microsoft 365 services! yes, this is something interesting to check who and all are connecting to Microsoft 365 resources using basic authentication.


Identify Applications using Basic authentication


First method Using Azure Sign-in Logs


Let’s use Azure ad sign Logs, what azure sign logs yes you heard it correct, you can use Azure ad sign-in Report to understand basic AUTH usage in your tenant. Let me explain these is steps.


Step 1: Sign – in to the Azure AD portal, scroll down and you can see Sign-ins under Monitor


Step 2: On the sign-in page, you can see Add filters option on the right page > Client app.


Step 3: Once the Client app is selected it will show non-selected > tap on that this will provide a drop-down with the list of client apps and segregated as Modern Authentication Clients and Legacy authentication Clients. Select all the applications under legacy authentication clients


You can select one of the records to see which Client app is being used in my example Mapi Over HTTP



You can see all the Client apps using basic authentication > Tap on Download so you will get the report handy. You should make sure you had selected the client app in the columns to display the app details in the report.



Download sign-ins to Excel in JSON or CSV format


To download the sign-ins to JSON or CSV format, click on the Download button at the top of the Sign-ins page. If you filter the sign-ins by certain client apps, your download will be based on the filter selections you’ve made. We recommend downloading to JSON because this format includes all the sign-in details, including the user agent. The CSV format will only show the top-level information in each row of the sign-in logs.

You can then open a JSON file in Excel using the Get Data function.


Second Method Using the Microsoft Graph API to get sign-ins


If you need to download more than 250,000 sign-in records, you can do so using the audit logs API in Microsoft Graph.


GET tenant user activities  GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits 
GET tenant user sign-ins GET https://graph.microsoft.com/v1.0/auditLogs/signIns 

Thrid Method Using Conditional Access


The easiest way to monitor the impact of blocking legacy authentication without disrupting users is using the Conditional Access report-only mode. Policies in report-only mode are evaluated at sign-in, but the grant controls are not enforced, so you can see who is using legacy authentication in real-time without blocking them. Let me show you how to create conditional access in reporting mode.

Login to Azure Ad > under the Manage section you can see Security, tap on that this will take you to the next page where you can create conditional access

Select Conditional Access under protect and this will take you to the Policy page, there will be some predefined policies, let's create a new one by clicking New Policy


You can determine how many users will be blocked by the policy by using the new Conditional Access Insights workbook and selecting your policy in the Conditional Access policy filter.


To access this workbook (after you have integrated your sign-in logs with Azure Monitor), navigate to the Workbook blade and select Conditional Access Insights.

Clicking on a tile such as Failure will filter the dashboard by those users that would be blocked by the policy. Create an exclusion group and add any users for whom you are not quite ready to block legacy authentication.

We can monitor the same using azure ad workbooks and Lag Analytics, navigate to the Workbook blade, and select Sign-Ins before that we need to stream the sign in to the workbook tab in azure ad

Here you will see information about which client apps are being used in your organization.

Using Kusto Query Language (KQL), you can write your queries to create custom reports using Azure Log Analytics.


Conclusion


In this article, you learned how to identify users who are using basic Authentication in your tenant, Using Azure signs, Graph API, and Conditional Access. This will help you to plan for Blocking Basic Authentication on your tenant.


If you enjoy the article you may also like my Blog How to Disable Basic Authentication

4,194 views0 comments

Recent Posts

See All