Microsoft is retiring Basic Authentication, because Modern Authentication is here to stay!

Microsoft have announced that they will retire the Basic Authentication method from Office 365 Exchange Online and make Modern Authentication method the standard way of authenticating going forward.
There are continues updates in the M365 Admin Center messages and what admins need to do to prepare for the change.

Companies now have to prepare for the change and Microsoft is sending continuous updates on what we need to do and how to identify how many clients are using Basic Auth to connect Outlook/ Exchange Server.

I have written a quick set of guidelines that will help you to see all the important points in on go.
This will include the steps to enable Modern Authentication and block the Basic Authentication.

When will they retire Basic Authentication?

Microsoft has initially planned it for the 13th October 2020
But with the current COVID-19 crisis situation, they have moved the dates to the 2nd half of 2021, but still encouraging the organizations to do their part.

What is Basic Authentication?
why its not the best Authentication method for Emails?

Simply put, Basic Auth is where Client app passes the username and the password with every request. Uses simple HTTP login methods and prone to Password Spray attacks. remember how you add a new email account to Outlook and it pop-up to enter credentials? That’s the Basic Auth prompt.

Basic Authentication Login prompt

Protocols that uses Basic Auth
Exchange ActiveSync
IMAP4
POP3
Remote PowerShell
Exchange Web Services (Shared mailboxes and etc.)

 

What is Modern Authentication?

This method is based upon OAuth 2.0 tokens for authentication and Authorization and which uses Azure ADAL (Azure Active Directory Authentication Library)

This gives you the ability to basically get rid of the previous App Passwords and can easily implement the Modern Identity Management features like MFA, Azure AD Conditional Access Policies and etc.
More on Azure ADAL

Modern Authentication login

 

How Modern Authentication works?

The example I’ve chosen here is very standard. The user is trying to access Exchange Online from a hybrid environment. Active Directory On-prem is syncing the password hashes via the Directory Sync

Modern Authentication Workflow
  1. User trying to login to Outlook on the web (OWA)

  2. Exchange Online sends a request back to the client asking to get the token

  3. OWA sends the token request to the Azure AD

  4. Azure AD checks for the user details and send the token to the user

  5. OWA sends the token back the Office 365

  6. User logs in to OWA

What Desktop and Mobile Clients Use Modern Authentication?

  • Outlook 2013 and 2016 for Windows (2013 only with a Registry modification)

  • Outlook 2016 for Mac (recent Office 365 releases only)

  • Outlook for iOS and Android

  • Recent Exchange ActiveSync clients (e.g., iOS 11 and 12 Mail)
    No mention on native Android email clients as the recommended mail app on Android is the Outlook app (Samsung is endorsing it already in their phone OS)

  • Make sure The Office 365 App builds are as below
    Office 365 Monthly Channel update clients – Version 16.0.11901.20216 and later
    Office 365 Semi-Annual update clients – Version  16.0.11328.20392 and later

  • iOS 11.0 version upwards will support OAuth 2.0 for Modern Auth in the native Mail app

  • If anyone is using a native mail app that comes with Android most likely it has to be changed with the Outlook for Android app

Outlook 2013 Registry Change

Warning – Changes to the registry should be done at your own risk. It’s always recommended to backup the machine or perform in a test environment.

Path: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
Type: REG_DWORD
Value: 1

Path:
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version
Type: REG_DWORD
Value: 1

This can pushed via a group policy if required.

How to check the Basic Auth sign-in reports?

This is how you can identify who are the user and what applications/ protocols they are using to connect using Basic Authentication.

Login to Microsoft 365 Admin Portal with your Global Admin account (https://admin.microsoft.com)

Go to Admin Centers and select the Azure AD portal > Click on Sign-Ins that’s under monitoring

Click on Columns and select Client app

Click on Add Filters and Select Client App

Click on Client App and Select everything under “Legacy Authentication Clients”

And the details will look like this
 “CBAinProd” is Exchange Online’s way of identifying authentication attempts via basic auth.

 

Exchange Server On-prem Hybrid Modern Auth changes
I found this great article which nicely explains regarding the prerequisites and the steps to follow

 

 

Your environment is ready to go. How to make the switch?

  • Again, make sure the supported Outlook clients have been installed as mentioned above

    Outlook Clients which has Shared mailboxes added will get “DISCONNECTED” which can be a critical issue as we have a lot of users who are using Shared Mailboxes – The solution for this is to re-create the Outlook profile, which can be a tedious process. This can be resolved without going into that nightmare if you have updated the Office Suite to the correct versions. Best to complete this task before you make the switch to modern auth.
    Check the KB Article

    Legacy Outlook versions may stop working altogether as they are unable to make a connection to the Exchange Online and Azure AD.

    Make sure Modern Authentication is enabled for the Tenant or turn by connecting to PowerShell

  • Connect to Exchange Online

Check the status Get-OrganizationConfig | fl *OAuth*
run this command to enable Modern Authentication
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Remember the above command does not block Basic Auth for the supported apps.

When you enable modern authentication in Exchange Online, Windows-based Outlook clients that support modern authentication will be prompted to log in again

According to Microsoft For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online.

  • Create a Authentication Policy > Disable Basic Auth for the protocols
    New-AuthenticationPolicy -Name “BlockBasicAuth”

  • Disable the protocols in that policy
    Get-authenticationpolicy -name BlockBasicAuth

    Eg – Disable Basic Auth from SMTP protocol
    Set-authenticationpolicy BlockBasicAuth -AllowBasicAuthSmtp $true

Make sure all the necessary protocols are blocked Parameters are as below
AllowBasicAuthActiveSync
AllowBasicAuthAutodiscover
AllowBasicAuthImap
AllowBasicAuthLogExport
AllowBasicAuthMapi
AllowBasicAuthOfflineAddressBook
AllowBasicAuthOutlookService
AllowBasicAuthPop
AllowBasicAuthReportingWebServices
AllowBasicAuthRest
AllowBasicAuthRpc
AllowBasicAuthSmtp
AllowBasicAuthWebServices
AllowBasicAuthPowershell

  • Assign the above authentication policy to users
    Set-User -Identity username -AuthenticationPolicy BlockBasicAuth

    Enable it for all accounts
    Get-user | Set-user -authenticationpolicy BlockBasicAuth

  • Define the Default Protocol Authentication Policy – Organization wide. In this way, any newly created user will absorb the policy
    Set-OrganizationConfig -DefaultAuthenticationPolicy BlockBasicAuth

    Blocking Basic authentication will block app passwords in Exchange Online. If you already have setup app passwords, this will prompt to enter the credentials for the modern authentication window followed by the MFA challenge.

  • Check the results
    To see if the Modern Auth is now enabled
    Get-OrganizationConfig | fl *OAuth*

    To See if the newly created authentication policy is the default policy for authentication
    Get-OrganizationConfig | fl DefaultAuthenticationPolicy

Final thoughts

 

I hope this article is helpful for you to take that decision sooner rather than later and prepare your environment accordingly and go for that switch.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.