As you might have read on some other blogs Microsoft basic authentication for Microsoft Exchange online is almost out of support. The date 13th of October is getting closer and closer.
Basic authentication in Exchange Online uses a username and a password for client access requests. Blocking Basic auth can help protect your Exchange Online organization from brute force or password spray attacks. When you disable Basic auth for users in Exchange Online, their email clients and apps must support modern authentication. Those clients are:
- Outlook 2013 or later (Outlook 2013 requires a registry key change. See Enable Modern Authentication for Office 2013 on Windows devices for more information.)
- Outlook 2016 for Mac or later
- Outlook for iOS and Android
- Mail for iOS 11.3.1 or later
If your organization has no legacy email clients, you can use authentication policies in Exchange Online to disable Basic auth requests, which forces all client access requests to use modern auth. For more information about modern authentication, see Using modern authentication with Office clients.
Blocking Basic authentication using conditional access
The action you need tot take is actually pretty easy and basically low hanging fruit.
- Go to Conditional access
- Create a new conditional access policy
- Enter a name for this policy. something like, Block Basic authenticaion.
- Under Assignments, click Users and groups, and select the users and groups you want this policy to apply to. I recommend everybody.
- Under Cloud apps or actions, select All cloud apps,
4. The next step we will find under Conditions > Client apps (preview
- Configure Yes.
- keep all selected checkboxes checked
5. After this click create.
You now have created a conditional access rule that blocks basic auth for all cloud apps.
Now we are into security you can also check out my other blogs related to Azure AD security.
April 2020 Update: Microsoft postponed disabling basic authentication in Exchange Online to 2021
Due to the COVID-19 crisis, Microsoft postponed disabling basicauthentication in Exchange Online to the second half of 2021 for tenants that use basicauthentication.
For newly created tenants, basicauthentication disabled by default and basicauthentication will be disabled if the tenant has no recorded usage from Oct 2020. Since Microsoft wants to improve the security, it will continue to roll-out OAuth support for POP, IMAP, SMTP Auth, and Remote PowerShell.