In this blog post, I will show you how to block basic authentication on Exchange Online for specific users.
Basic authentication also known as legacy authentication allows hackers to access Exchange Online mailboxes using a username and password and bypass MFA.
This can be a real security risk in case a username and password have been compromised.
Install Exchange Online PowerShell V2
To start, I will install the new Exchange Online V2 PowerShell module by running the cmdlet
Install-Module -Name ExchangeOnlineManagement
After I completed the installation, I can connect to Exchange Online with the below cmdlet.
Check Modern Authentication
Next, I will check if modern authentication is enabled on my tenant using the following cmdlet.
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
Enable Modern Authentication
If the above command is false, which means modern authentication is not enabled I will enable it with the cmdlet.
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Create Authentication Policy
To block basic authentication I will create the following policy.
New-AuthenticationPolicy -Name "Block Basic Auth"
You can see from the output that all basic authentication protocols are disabled.
Assign Policy to users
I will assign the policy to a user with the code below.
Set-User -Identity USERUPN -AuthenticationPolicy "Block Basic auth"
To get a list of all users I will run the cmdlet below