Disable Microsoft Exchange Unnoticed Basic Authentication Protocols in One Go!

Disable Microsoft Exchange Unnoticed Basic Authentication Protocols in One Go!

Previously, on October 1, 2022, Microsoft stated that it would begin to disable basic authentication for Exchange Online. As of November 2022, Microsoft has deprecated basic authentication protocols for all Office 365 organizations unless they have requested a temporary pause. 

But in reality, have all the basic authentication protocols been disabled? Unfortunately, no! It’s true that turning off basic authentication in Microsoft 365 admin center does not disable all the legacy services.  

Yes, Microsoft leaves some of the legacy services turned on, even if you turned off basic authentication protocols via Microsoft 365 admin center. Surprising, isn’t it? Yes, for real! So, with that said, let’s dive deep into the legacy auth protocols left uncared for and how to deal with them in this blog. 

 

Does Your Office 365 Tenant Still Use Basic Authentication? 

Every Office 365 tenant created after 2019 will have security defaults enabled (modern authentication) by default. If you wish to verify this, follow the path below and check whether the following image is obtained. 

Microsoft 365 Admin Center → Settings → Org Settings → Modern Authentication (Under the ‘Services’ tab). 

enable modern authentication by default

No worries if the above context is displayed! Your organization does not use basic authentication protocols. But what if it shows like the below image? 

enable basic authentication protocols

I see a lot of risks! Because, here, the organization still allows basic authentication protocols for their Office 365 users. So, it’s imperative to undergo the pivotal step of using the basic authentication report to identify users who are still using basic authentication methods. 

 

Disable Basic Authentication in Exchange Online: 

 Next, we will now disable the basic authentication protocols in use.  

👆A click is all it takes to block basic authentication, and you’re done! Navigate to the below path and uncheck all the legacy services such as Outlook client, Exchange ActiveSync (EAS), Autodiscover, IMAP4, POP3, Authenticated SMTP, and Exchange Online PowerShell to block access to basic auth protocols. 

Microsoft 365 Admin Center → Settings → Org Settings → Modern Authentication (Under the ‘Services’ tab). 

 

What Are the Microsoft Exchange Basic Authentication Protocols That Are Not Disabled? 

By default, for newly created users, Exchange uses the tenant’s default protocol authentication policy. The Get-AuthenticationPolicy method will return a null value unless you define a default authentication policy in the organization. 

However, when you change the basic auth access setting in the admin center, a default authentication policy will be created and registered in the organization policy. Since I have updated the basic authentication policy in the past, the default authentication policy got updated. 

Below is an image of the updated authentication policy when I performed certain activities in basic auth protocols. To get the default authentication policy name, you can use the following cmdlet: 

Get-AuthenticationPolicy | Format-Table –Auto Name

get authentication policy name

When the day came to turn off the legacy services, I blocked all the basic authentication protocols in Microsoft 365 admin center. But, eventually came to know that it didn’t surely block all the basic authentication protocols⚠️ 

You can use the following command that details the authentication policies used in your organization and the status of each authentication protocol. 

Get-AuthenticationPolicy 

Get-AuthenticationPolicy

Finally, here is the final checkmate! And, now when you notice the above image, you will find the AllowBasicAuthOutlookService and AllowBasicAuthReportingWebServices are not completely disabled and their status is set to ‘True’ (i.e., They’re still currently in use).  

These legacy services are used for the following purpose.  

  • AllowBasicAuthOutlookService – Specifies whether to allow basic authentication for Outlook services such as mail, and calendar apps. 
  • AllowBasicAuthReportingWebServices – Specifies whether to allow basic authentication with reporting web services to retrieve report data in Exchange Online. 

But why does it really happen? Microsoft left turned on some reporting web services turned on to get access to Message tracking logs and more. Therefore, these reporting web services will be enabled until December 31st. Importantly, there is no opt-out or re-enablement required. However, if you do not want this basic authentication protocol to be turned on, Microsoft has provided a cmdlet solution.

Disable All Basic Authentication Protocols in a Shot 

 Despite Microsoft didn’t block some basic authentication protocols and raising a big risk, there is an easy fix! All it takes is a single PowerShell cmdlet to block the left legacy auth protocols. 

Set-AuthenticationPolicy -Identity " BlockBasic638040894239540475" -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthOutlookService:$false

disable basic authentication protocols

With the above image, now you can see AllowBasicAuthOutlookService and AllowBasicAuthReportingWebServices are set to false (i.e., all basic authentication protocols are disabled completely). 

Still not done! The previous command gets implemented only on new mailboxes any new mailboxes but not existing mailboxes. So, to apply the policy to existing mailboxes, use the following command: 

$mbx = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited 

$mbx | foreach {Set-User -Identity $_.ExchangeObjectID.tostring() -AuthenticationPolicy <AuthenticationPolicyName>}

 

That’s it, there you go! Finally, we’ve blocked all the entry points for an attacker to enter our Office 365 organization. This blog hopefully sheds light on one of the riskiest and unnoticed legacy service allowances. Feel free to shoot your questions, we would be glad to assist you!     

Disable Microsoft Exchange Unnoticed Basic Authentication Protocols in One Go!

by Pavithra time to read: 3 min
0