Learn Azure and IaC

Block Basic Authentication Exchange Online

In this blog post, I will show you how to block basic authentication on Exchange Online for specific users.

Basic authentication also known as legacy authentication allows hackers to access Exchange Online mailboxes using a username and password and bypass MFA.

This can be a real security risk in case a username and password have been compromised.

Install Exchange Online PowerShell V2

To start, I will install the new Exchange Online V2 PowerShell module by running the cmdlet

Install-Module -Name ExchangeOnlineManagement

After I completed the installation, I can connect to Exchange Online with the below cmdlet.

Connect-ExchangeOnline
-Name ExchangeOn1ineManagement PS C: Install-Module Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its Installationpolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from [Y] yes [A] yes to All [N] NO [L] NO to All [S] Suspend PS C: Connect-Exchangeonline We have released new management cmdlets which are faster and Help (default is "N"): a more reliable. Cmdlets Old Cmdlets Get -CASMai1box -Mailbox Get Get-MailboxF01derPermission Get-MailboxF01derStatistics -Mail Get Get-MailboxStatistics -MobileDeviceStatistics Get -Recipient Get -RecipientPermission Get New/Re1iab1e/Faster -EXOCASMai1box Get Get -Exomailbox Get Get Get Get Get To get additional information, Please send your feedback and run: Get-Help suggestions to Get-EXOMai1boxF01derPermission -EXOMai1boxF01derStatistics - EXOMai1boxPermission Get -EXOMai1boxStatistics -EXOMobi1eDeviceStatistics -EXORecipient - EXORecipientPermission Connect -Exchangeonline exocmdletpreview@service.mic rosoft.com

Check Modern Authentication

Next, I will check if modern authentication is enabled on my tenant using the following cmdlet.

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
OAuth2C1ientProfi1eEnab1ed T rue

Enable Modern Authentication

If the above command is false, which means modern authentication is not enabled I will enable it with the cmdlet.

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Create Authentication Policy

To block basic authentication I will create the following policy.

New-AuthenticationPolicy -Name "Block Basic Auth"

You can see from the output that all basic authentication protocols are disabled.

PS C: New-AuthenticationP01icy -Name "Block Basic Auth" Runspaceld AllowBasicAuthActiveSync AllowBasicAuthAutodiscover All owBasicAuthImap AllowBasicAuthMapi AllowBasicAuthOff1ineAddressBook AllowBasicAuthOut100kSeNice AllowBasicAuthPop AllowBasicAuthReportingWebServices : AllowBasicAuthRest AllowBasicAuthRpc AllowBasicAuthSmtp AllowBasicAuthWebServices AllowBasicAuthpowersheII AdminDi splayName ed6494d6-89be-4f58-b312-ce59f718faff False . False False False False False . False False False False False . False False

Assign Policy to users

I will assign the policy to a user with the code below.

Set-User -Identity USERUPN -AuthenticationPolicy "Block Basic auth"

To get a list of all users I will run the cmdlet below

Get-User

By clicking submit, you agree to share your email address with the site owner and Mailchimp to receive marketing, updates, and other emails from the site owner. Use the unsubscribe link in those emails to opt out at any time.

Processing…
Success! You're on the list.

Posted

in

by

NTW – Content Network