Microsoft have announced that they will retire the Basic Authentication method from Office 365 Exchange Online and make Modern Authentication method the standard way of authenticating going forward.
There are continues updates in the M365 Admin Center messages and what admins need to do to prepare for the change.
Companies now have to prepare for the change and Microsoft is sending continuous updates on what we need to do and how to identify how many clients are using Basic Auth to connect Outlook/ Exchange Server.
I have written a quick set of guidelines that will help you to see all the important points in on go.
This will include the steps to enable Modern Authentication and block the Basic Authentication.
When will they retire Basic Authentication?
Microsoft has initially planned it for the 13th October 2020
But with the current COVID-19 crisis situation, they have moved the dates to the 2nd half of 2021, but still encouraging the organizations to do their part.
What is Basic Authentication?
why its not the best Authentication method for Emails?
Simply put, Basic Auth is where Client app passes the username and the password with every request. Uses simple HTTP login methods and prone to Password Spray attacks. remember how you add a new email account to Outlook and it pop-up to enter credentials? That’s the Basic Auth prompt.
Protocols that uses Basic Auth
Exchange ActiveSync
IMAP4
POP3
Remote PowerShell
Exchange Web Services (Shared mailboxes and etc.)
What is Modern Authentication?
This method is based upon OAuth 2.0 tokens for authentication and Authorization and which uses Azure ADAL (Azure Active Directory Authentication Library)
This gives you the ability to basically get rid of the previous App Passwords and can easily implement the Modern Identity Management features like MFA, Azure AD Conditional Access Policies and etc.
More on Azure ADAL
How Modern Authentication works?
The example I’ve chosen here is very standard. The user is trying to access Exchange Online from a hybrid environment. Active Directory On-prem is syncing the password hashes via the Directory Sync
User trying to login to Outlook on the web (OWA)
Exchange Online sends a request back to the client asking to get the token
OWA sends the token request to the Azure AD
Azure AD checks for the user details and send the token to the user
OWA sends the token back the Office 365
User logs in to OWA
What Desktop and Mobile Clients Use Modern Authentication?
Outlook 2013 and 2016 for Windows (2013 only with a Registry modification)
Outlook 2016 for Mac (recent Office 365 releases only)
Outlook for iOS and Android
Recent Exchange ActiveSync clients (e.g., iOS 11 and 12 Mail)
No mention on native Android email clients as the recommended mail app on Android is the Outlook app (Samsung is endorsing it already in their phone OS)Make sure The Office 365 App builds are as below
Office 365 Monthly Channel update clients – Version 16.0.11901.20216 and later
Office 365 Semi-Annual update clients – Version 16.0.11328.20392 and lateriOS 11.0 version upwards will support OAuth 2.0 for Modern Auth in the native Mail app
If anyone is using a native mail app that comes with Android most likely it has to be changed with the Outlook for Android app
Outlook 2013 Registry Change
Warning – Changes to the registry should be done at your own risk. It’s always recommended to backup the machine or perform in a test environment.
Path: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
Type: REG_DWORD
Value: 1
Path:
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version
Type: REG_DWORD
Value: 1
This can pushed via a group policy if required.
How to check the Basic Auth sign-in reports?
This is how you can identify who are the user and what applications/ protocols they are using to connect using Basic Authentication.
Login to Microsoft 365 Admin Portal with your Global Admin account (https://admin.microsoft.com)
Go to Admin Centers and select the Azure AD portal > Click on Sign-Ins that’s under monitoring
Click on Columns and select Client app
Click on Add Filters and Select Client App
Click on Client App and Select everything under “Legacy Authentication Clients”
And the details will look like this
“CBAinProd” is Exchange Online’s way of identifying authentication attempts via basic auth.
Exchange Server On-prem Hybrid Modern Auth changes
I found this great article which nicely explains regarding the prerequisites and the steps to follow
Your environment is ready to go. How to make the switch?
- Again, make sure the supported Outlook clients have been installed as mentioned above
Outlook Clients which has Shared mailboxes added will get “DISCONNECTED” which can be a critical issue as we have a lot of users who are using Shared Mailboxes – The solution for this is to re-create the Outlook profile, which can be a tedious process. This can be resolved without going into that nightmare if you have updated the Office Suite to the correct versions. Best to complete this task before you make the switch to modern auth.
Check the KB Article
Legacy Outlook versions may stop working altogether as they are unable to make a connection to the Exchange Online and Azure AD.
Make sure Modern Authentication is enabled for the Tenant or turn by connecting to PowerShell - Connect to Exchange Online
Check the status Get-OrganizationConfig | fl *OAuth*
run this command to enable Modern Authentication
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Remember the above command does not block Basic Auth for the supported apps.
When you enable modern authentication in Exchange Online, Windows-based Outlook clients that support modern authentication will be prompted to log in again
According to Microsoft For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online.
- Create a Authentication Policy > Disable Basic Auth for the protocols
New-AuthenticationPolicy -Name “BlockBasicAuth” - Disable the protocols in that policy
Get-authenticationpolicy -name BlockBasicAuth
Eg – Disable Basic Auth from SMTP protocol
Set-authenticationpolicy BlockBasicAuth -AllowBasicAuthSmtp $true
Make sure all the necessary protocols are blocked Parameters are as below
AllowBasicAuthActiveSync
AllowBasicAuthAutodiscover
AllowBasicAuthImap
AllowBasicAuthLogExport
AllowBasicAuthMapi
AllowBasicAuthOfflineAddressBook
AllowBasicAuthOutlookService
AllowBasicAuthPop
AllowBasicAuthReportingWebServices
AllowBasicAuthRest
AllowBasicAuthRpc
AllowBasicAuthSmtp
AllowBasicAuthWebServices
AllowBasicAuthPowershell
- Assign the above authentication policy to users
Set-User -Identity username -AuthenticationPolicy BlockBasicAuth
Enable it for all accounts
Get-user | Set-user -authenticationpolicy BlockBasicAuth - Define the Default Protocol Authentication Policy – Organization wide. In this way, any newly created user will absorb the policy
Set-OrganizationConfig -DefaultAuthenticationPolicy BlockBasicAuth
Blocking Basic authentication will block app passwords in Exchange Online. If you already have setup app passwords, this will prompt to enter the credentials for the modern authentication window followed by the MFA challenge. - Check the results
To see if the Modern Auth is now enabled
Get-OrganizationConfig | fl *OAuth*
To See if the newly created authentication policy is the default policy for authentication
Get-OrganizationConfig | fl DefaultAuthenticationPolicy
Final thoughts
I hope this article is helpful for you to take that decision sooner rather than later and prepare your environment accordingly and go for that switch.
EMS Route - Shehan Perera 