When accessing Exchange Online from a client like Outlook or ActiveSync, clients have traditionally used Basic Authentication (also known as Legacy Authentication). You will have seen this in action if you’ve performed migrations to Exchange Online with clients like Outlook 2010, and a native password dialogue like this is shown to the user after the migration completes.
The reason for this is because authenticating to Exchange Online can work in the same way as external users authenticate to an Exchange On-Premises infrastructure. This means it’s easier for older clients as they just see Office 365 and Exchange Online as another Exchange Server. However, it’s not as good when it comes to true single sign-on and security.
Modern Authentication was introduced to Exchange Online around four years ago and has been the default for clients such as Outlook 2016 since launch, and is used by the wider Office suite, including Outlook Mobile, Microsoft Teams and OneDrive for Business. Modern Authentication uses web-based sign via OAuth in allowing full single sign on, and rich multi-factor authentication processes.
In most cases, authentication prompts from clients like Outlook become non-existent. When they do occur, they look very different from the Basic Authentication prompt used with older versions of Outlook.
What’s the problem with Basic Authentication?
Using Basic Authentication means you don’t get support for true Single Sign-On, but even if you are using Modern Authentication to access Office 365 and leave Basic Authentication enabled as a back-up you may wish to disable it for security reasons.
Today it’s necessary for many organizations to utilize Multi-Factor Authentication to protect accounts. Basic Authentication doesn’t support this, and instead the solution is to use App Passwords. App Passwords are simply a long password used instead of Multi-Factor Authentication and can be used to by-pass it. The security issues associated with Basic Authentication especially when an organization believes it’s locked down by MFA are well documented in the computing press and have resulted in data and monetary losses.
Even if you don’t have MFA enabled today and don’t wish to enable it, then you may wish to disable Basic Authentication due to the proliferation of password spray attacks. Because Basic Authentication uses simple HTTP login methods, rather than more complex OAuth-based authentication mechanisms, it’s much easier for a potential attacker to target a service like Exchange Web Services with a script or tool to attempt to guess user or admin passwords.
Should you use Azure AD Premium Conditional Access instead?
Conditional Access is part of Azure AD Premium Plan 1, which you will usually buy as part of Microsoft 365 E3 or EMS E3 licensing alongside Office 365 E3 plans.
Conditional Access allows you to define who, from what device and from where people can log into different Azure AD secured services like Office 365.
You may for example, allow user access to Yammer from anywhere, but only allow Exchange Online, OneDrive, SharePoint and Teams access from within Office locations.
You might allow external access to all your Office 365 services, but ensure that Multi-Factor Authentication is used, and access is only allowed from enrolled or domain-joined devices.
Because Conditional Access relies upon Modern Authentication to enforce policies, it provides the ability to switch off authentication using Basic Authentication. This applies not only to Exchange Online, but also to other services, like SharePoint, too. This will provide the same result, although configuring it in Exchange Online denies the request before authentication to the back-end provider occurs, rather than after.
If you don’t have Azure AD Premium or are choosing to use other methods – like AD FS – for enforcing conditions for access, then you will most likely wish to block Basic Authentication at Exchange Online.
New Policies in Exchange Online
This October, Microsoft released Authentication Policies in Exchange Online. Authentication Policies allow you to define which services block and allow Basic Authentication. You can switch on and off policies for these services:
- IMAP and POP3
- MAPI HTTP
- RPC over HTTP (Outlook Anywhere)
- Exchange Web Services
- REST API Access
- Offline Address Book
- Reporting Services
- Outlook Service, used by Windows 10’s Mail and Calendar App
In the example below, we’ll define two policies to block Basic Authentication.
- Block All Basic Authentication. We’ll apply this policy to a test user, and then apply to additional users until we are happy this should be the default.
- Block IMAP, POP3 and SMTP submission using Basic Authentication. We’ll set this as the default policy for our tenant, as in our example organization, we know we have no users who should use these protocols.
Creating a policy and applying it to a user
We’ll create our first policy that blocks all basic authentication. This is straightforward, as we’re able to create a new authentication policy without any settings, because by default a new policy will block basic authentication for all protocols. We’ll use the New-AuthenticationPolicy cmdlet to create the policy. Once created, the Set-User cmdlet is used to assign it.
We’ll apply this to our test user, using syntax as shown below:
New-AuthenticationPolicy -Name "Block Basic Authentication" Set-User -Identity "email@example.com" -AuthenticationPolicy "Block Basic Authentication"
Creating a policy and applying it as the organization default
Our second example will be used to block IMAP, POP3 and SMTP. We’ll use the same syntax to create a policy, and then use the Set-AuthenticationPolicy to selectively re-enable Basic Authentication for protocols other than IMAP, POP3 and SMTP.
New-AuthenticationPolicy -Name "Block Basic Auth - IMAP POP3 and SMTP" Set-AuthenticationPolicy -Identity "Block Basic Auth - IMAP POP3 and SMTP" ` -AllowBasicAuthWebServices -AllowBasicAuthOutlookService ` -AllowBasicAuthReportingWebServices -AllowBasicAuthActiveSync ` -AllowBasicAuthRest -AllowBasicAuthPowershell -AllowBasicAuthMapi ` -AllowBasicAuthOfflineAddressBook -AllowBasicAuthAutodiscover ` -AllowBasicAuthRpc
We can check that worked, by using the Get-AuthenticationPolicy cmdlet. If we filter on AllowBasicAuth* we will see which services have Basic Authentication enabled with this policy:
Get-AuthenticationPolicy -Identity "Block Basic Auth - IMAP POP3 and SMTP" | fl AllowBasicAuth* AllowBasicAuthActiveSync : True AllowBasicAuthAutodiscover : True AllowBasicAuthImap : False AllowBasicAuthLogExport : True AllowBasicAuthMapi : True AllowBasicAuthOfflineAddressBook : True AllowBasicAuthOutlookService : True AllowBasicAuthPop : False AllowBasicAuthReportingWebServices : True AllowBasicAuthRest : True AllowBasicAuthRpc : True AllowBasicAuthSmtp : False AllowBasicAuthWebServices : True AllowBasicAuthPowershell : True
If we are happy that this will be the default configuration for all users who do not have an Authentication Policy assigned, then we can use the Set-OrganizationConfig cmdlet to set the default policy for all users within the organization:
Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth - IMAP POP3 and SMTP"
A word of caution
As there’s not any reporting available today to understand whether your users are using clients that support Modern Authentication, nor reporting on which clients are currently using Modern Authentication, enabling Authentication Policies could have undesired effects, such as calls from users no longer able to connect. Therefore, ensure you read Microsoft’s guidance on Authentication Policies to ensure you have supported clients, and use a thorough testing process before mass rollout where there is uncertainty.
You can use Authentication Policies in Exchange Online to block Basic Authentication to your Exchange Online tenant. This is an excellent change as it doesn’t require additional Azure AD Premium licensing to take advantage of, so is extremely useful for organizations using the core Office 365 licensing.