How to disable basic authentication using Conditional Access

As you might have read on some other blogs Microsoft basic authentication for Microsoft Exchange online is almost out of support. The date 13th of October is getting closer and closer.

Basic authentication in Exchange Online uses a username and a password for client access requests. Blocking Basic auth can help protect your Exchange Online organization from brute force or password spray attacks. When you disable Basic auth for users in Exchange Online, their email clients and apps must support modern authentication. Those clients are:

If your organization has no legacy email clients, you can use authentication policies in Exchange Online to disable Basic auth requests, which forces all client access requests to use modern auth. For more information about modern authentication, see Using modern authentication with Office clients.

Blocking Basic authentication using conditional access

The action you need tot take is actually pretty easy and basically low hanging fruit.

  1. Go to Conditional access
  2. Create a new conditional access policy
  3. Enter a name for this policy. something like, Block Basic authenticaion.
  4. Under Assignments, click Users and groups, and select the users and groups you want this policy to apply to. I recommend everybody.
  5. Under Cloud apps or actions, select All cloud apps,

4. The next step we will find under Conditions > Client apps (preview

  • Configure Yes.
  • keep all selected checkboxes checked

5. After this click create.

You now have created a conditional access rule that blocks basic auth for all cloud apps.

Now we are into security you can also check out my other blogs related to Azure AD security.

MFA and SSPR from trusted location

Passwordless sign in to Office 365

April 2020 Update: Microsoft postponed disabling basic authentication in Exchange Online to 2021

Due to the COVID-19 crisis, Microsoft postponed disabling basicauthentication in Exchange Online to the second half of 2021 for tenants that use basicauthentication.

For newly created tenants, basicauthentication disabled by default and basicauthentication will be disabled if the tenant has no recorded usage from Oct 2020. Since Microsoft wants to improve the security, it will continue to roll-out OAuth support for POP, IMAP, SMTP Auth, and Remote PowerShell.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.