Block Basic Authentication Exchange Online

In this blog post, I will show you how to block basic authentication on Exchange Online for specific users.

Basic authentication also known as legacy authentication allows hackers to access Exchange Online mailboxes using a username and password and bypass MFA.

This can be a real security risk in case a username and password have been compromised.

Install Exchange Online PowerShell V2

To start, I will install the new Exchange Online V2 PowerShell module by running the cmdlet

Install-Module -Name ExchangeOnlineManagement

After I completed the installation, I can connect to Exchange Online with the below cmdlet.

Connect-ExchangeOnline
-Name ExchangeOn1ineManagement 
PS C: Install-Module 
Untrusted repository 
You are installing the modules from an untrusted repository. If you trust this repository, change its 
Installationpolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 
[Y] yes [A] yes to All [N] NO [L] NO to All [S] Suspend 
PS C: Connect-Exchangeonline 
We have released new management cmdlets which are faster and 
Help (default is "N"): a 
more reliable. 
Cmdlets 
Old 
Cmdlets 
Get -CASMai1box 
-Mailbox 
Get 
Get-MailboxF01derPermission 
Get-MailboxF01derStatistics 
-Mail 
Get 
Get-MailboxStatistics 
-MobileDeviceStatistics 
Get 
-Recipient 
Get 
-RecipientPermission 
Get 
New/Re1iab1e/Faster 
-EXOCASMai1box 
Get 
Get -Exomailbox 
Get 
Get 
Get 
Get 
Get 
To get additional information, 
Please send your feedback and 
run: Get-Help 
suggestions to 
Get-EXOMai1boxF01derPermission 
-EXOMai1boxF01derStatistics 
- EXOMai1boxPermission 
Get -EXOMai1boxStatistics 
-EXOMobi1eDeviceStatistics 
-EXORecipient 
- EXORecipientPermission 
Connect -Exchangeonline 
exocmdletpreview@service.mic rosoft.com

Check Modern Authentication

Next, I will check if modern authentication is enabled on my tenant using the following cmdlet.

Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
OAuth2C1ientProfi1eEnab1ed 
T rue

Enable Modern Authentication

If the above command is false, which means modern authentication is not enabled I will enable it with the cmdlet.

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Create Authentication Policy

To block basic authentication I will create the following policy.

New-AuthenticationPolicy -Name "Block Basic Auth"

You can see from the output that all basic authentication protocols are disabled.

PS C: New-AuthenticationP01icy -Name "Block Basic Auth" 
Runspaceld 
AllowBasicAuthActiveSync 
AllowBasicAuthAutodiscover 
All owBasicAuthImap 
AllowBasicAuthMapi 
AllowBasicAuthOff1ineAddressBook 
AllowBasicAuthOut100kSeNice 
AllowBasicAuthPop 
AllowBasicAuthReportingWebServices : 
AllowBasicAuthRest 
AllowBasicAuthRpc 
AllowBasicAuthSmtp 
AllowBasicAuthWebServices 
AllowBasicAuthpowersheII 
AdminDi splayName 
ed6494d6-89be-4f58-b312-ce59f718faff 
False 
. False 
False 
False 
False 
False 
. False 
False 
False 
False 
False 
. False 
False

Assign Policy to users

I will assign the policy to a user with the code below.

Set-User -Identity USERUPN -AuthenticationPolicy "Block Basic auth"

To get a list of all users I will run the cmdlet below

Get-User

Processing…
Success! You're on the list.

Posted

in

by