Block Basic Authentication Exchange Online

In this blog post, I will show you how to block basic authentication on Exchange Online for specific users.

Basic authentication also known as legacy authentication allows hackers to access Exchange Online mailboxes using a username and password and bypass MFA.

This can be a real security risk in case a username and password have been compromised.

Install Exchange Online PowerShell V2

To start, I will install the new Exchange Online V2 PowerShell module by running the cmdlet

Install-Module -Name ExchangeOnlineManagement

After I completed the installation, I can connect to Exchange Online with the below cmdlet.

Connect-ExchangeOnline

Check Modern Authentication

Next, I will check if modern authentication is enabled on my tenant using the following cmdlet.

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

Enable Modern Authentication

If the above command is false, which means modern authentication is not enabled I will enable it with the cmdlet.

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Create Authentication Policy

To block basic authentication I will create the following policy.

New-AuthenticationPolicy -Name "Block Basic Auth"

You can see from the output that all basic authentication protocols are disabled.

Assign Policy to users

I will assign the policy to a user with the code below.

Set-User -Identity USERUPN -AuthenticationPolicy "Block Basic auth"

To get a list of all users I will run the cmdlet below

Get-User

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.