In this blog post, I will show you how to block basic authentication on Exchange Online for specific users.
Basic authentication also known as legacy authentication allows hackers to access Exchange Online mailboxes using a username and password and bypass MFA.
This can be a real security risk in case a username and password have been compromised.
Install Exchange Online PowerShell V2
To start, I will install the new Exchange Online V2 PowerShell module by running the cmdlet
Install-Module -Name ExchangeOnlineManagement
After I completed the installation, I can connect to Exchange Online with the below cmdlet.
Connect-ExchangeOnline
![-Name ExchangeOn1ineManagement
PS C: Install-Module
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
Installationpolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
[Y] yes [A] yes to All [N] NO [L] NO to All [S] Suspend
PS C: Connect-Exchangeonline
We have released new management cmdlets which are faster and
Help (default is "N"): a
more reliable.
Cmdlets
Old
Cmdlets
Get -CASMai1box
-Mailbox
Get
Get-MailboxF01derPermission
Get-MailboxF01derStatistics
-Mail
Get
Get-MailboxStatistics
-MobileDeviceStatistics
Get
-Recipient
Get
-RecipientPermission
Get
New/Re1iab1e/Faster
-EXOCASMai1box
Get
Get -Exomailbox
Get
Get
Get
Get
Get
To get additional information,
Please send your feedback and
run: Get-Help
suggestions to
Get-EXOMai1boxF01derPermission
-EXOMai1boxF01derStatistics
- EXOMai1boxPermission
Get -EXOMai1boxStatistics
-EXOMobi1eDeviceStatistics
-EXORecipient
- EXORecipientPermission
Connect -Exchangeonline
exocmdletpreview@service.mic rosoft.com](https://i1.wp.com/www.ntweekly.com/wp-content/uploads/2020/05/image-8.png?fit=525%2C275&ssl=1)
Check Modern Authentication
Next, I will check if modern authentication is enabled on my tenant using the following cmdlet.
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

Enable Modern Authentication
If the above command is false, which means modern authentication is not enabled I will enable it with the cmdlet.
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Create Authentication Policy
To block basic authentication I will create the following policy.
New-AuthenticationPolicy -Name "Block Basic Auth"
You can see from the output that all basic authentication protocols are disabled.

Assign Policy to users
I will assign the policy to a user with the code below.
Set-User -Identity USERUPN -AuthenticationPolicy "Block Basic auth"
To get a list of all users I will run the cmdlet below
Get-User