Sometime a go I wrote on How to Disable Basic auth to make way to Modern Authentication. The procedure is manageable and with a bit of effort, you can achieve it with less or no noise in your Organization.
Either you block Basic Auth via an Azure AD Conditional Access policy or creating an EXO authentication policy and applying it to the users, you must plan it well. Things may go pear shaped if you don’t take everything in to consideration.
Some challenges you may face according to my experience
Mobile devices may (will) not always behave as expected
iOS has included Modern Authentication on iOS devices that runs version 11 and above. However I saw some users who had iOS 12.4.X had the legacy login prompt coming up continuously on the screen and it will never go away.
Its almost like the phone’s native mail app profile has saved the old configuration and not changed the authentication method automatically.
This happened in few phones out of a lot of devices but no clear reason as to why it happened.
Hard reset did not work. The last resort was to remove the mail profile and create a new profile or directing them to install the Outlook on mobile app.
Always keep two authentication polices!
According to the best practice, it’s advisable to make the Block Basic Authentication policy to be the Default Auth policy in the Organization config. This is to absorb that policy to any mailbox that doesn’t have a auth policy added. Try applying the policy to every user you are creating? That’s an additional overhead for sure. Instead, making the Org Config change is easy.
So why two policies? You still might have service accounts, printers and MFDs, LOB apps that’s using some legacy protocol. Eg: BasicAuthSMTP. You’ll have to have the 2nd policy by enabling those protocols ON.
Important: Make sure, you create your batch files accurately because last thing you need is not to block a protocol on a critical system that relays emails by using that protocol.
Be ready to apply the policy that has legacy protocols ON. Usually the Auth policy takes 24 hours to apply on the user account. But run the below command to make it apply in 30 – 40 minutes.
Set-User -Identity <UPN> -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)
Outlook client/ Office client updates
Make sure you don’t have Office 2010 clients in the environment.
Office 2013 client will work with Modern Auth only if the registry change is done properly.
Guides and advise helpdesk with how to add mailboxes
This is important. The frontline should know the changes that’s happening. After blocking Basic auth, it’ll connect Outlook via Modern Auth and the behavior is bit different. No harm informing them about this.
Get info app vendors on when they are changing
For any 3rd part apps that’s using legacy protocols to relay emails, the app vendor should be able to change the code and adopt the Modern auth methods going forward. This would not happen right away. You still might have to have the auth policy to enable those legacy protocols for the time being. Inform them that your organization has done the change and planning to remove Basic auth from all the accounts. Most of the vendors are already working on this as this is a mandatory change.
Risk based Sign-in Conditional Access Policies for accounts with legacy protocols ON
If you are concerned on those service accounts with legacy protocols ON, you can create Risk Based Conditional Access policies to enable monitoring and action on them. You need Azure AD P2 license for this purpose.
Summary
These changes will impact on user productivity. It’s all about how you manage a change like this depending on the size of your organization. The change on blocking Basic auth and enabling Modern auth will open a new side of authentication with many possibilities with OAuth2 and OIDC layer and can address many issues that Legacy protocols had.
EMS Route - Shehan Perera 