EXO Basic to Modern AUTH, October 2020
Are you still working with Basic Authentication for Exchange Online? probably you’ve got a lot of users, applications, IT script and other third-party apps that connect and using Basic Authentication against your Exchange Online.
Recently Microsoft mentioned again about u
From Office 365 Message Center
“As previously communicated in MC191153, beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online.
Note: this change does not impact SMTP AUTH.
Microsoft published an updated blog with more information about this change Basic Auth and Exchange Online – February 2020 Update
There are several actions that you and/or your users can take to avoid service disruptions on client applications, and we describe them below and in the blog. If no action is taken, client applications using Basic Authentication for EWS may be unable to connect after October 13, 2020.
Any application using OAuth 2.0 and connecting using any of these protocols, will continue to work without change or interruption.”
Microsoft announcements for Basic Authentication divided into two announcements:
The first was On March 7, 2018, the Microsoft Exchange Team announced that on October 13, 2020, it would stop the support for Basic Authentication for Exchange Web Services (EWS) in Exchange Online.
The second was on November 20, 2019, and the Exchange Team announced the end of supporting Basic Authentication for Exchange ActiveSync (EAS), POP, IMAP, and Remote PowerShell on October 13, 2020, as well.
Note: Microsoft ending support for Basic Authentication just applies to the Exchange Online, and it’s doesn’t apply to companies that use the Exchange On-Premises Server.
Note that authentication with SMTP will stay supported when used with Basic Authentication.
Office 365 Basic Authentication
Microsoft supported Basic Authentication from the earliest days of Office 365 (and BPOS) for all core services on Office 365 Services such as Exchange Online, SharePoint Online, OneDrive for Business Online, Skype for Business Online.
When using Basic Authentication the applications send a username and password with every request to Office 365 apps such as Exchange Online which either forwards the credentials to Azure AD or another federated authentication provider like ADFS of third party IDP.
The big security issue with Basic authentication is the exposure to password attacks such as brute force or password spray.
Also, Basic Authentication makes it easier for attackers armed with today’s tools and techniques to capture user’s credentials and increases the chance of credential re-use against other endpoints or services in Office 365 services.
The trouble with Basic Authentication is that it’s just too basic and uses older protocols, and we wanted the cloud will be a better security place, no?
How do you know who are using Basic authentication with Exchange Online? you’ve so many ways to know who’s the problematic service that still using Basic authentication.
Office 365 Reports > from Office 365 usage report you’ve got few reports and you able to export the information to excel and pivoting the data with old protocols. The reports include reports such as Users, Apps, and Versions.
Tip: with excel reports it’s possible to know who is connecting with an old protocol, including information that is not clearly visible in the reports.
Azure AD Sign-In Logs with the Azure AD reports the sky is the limit because you’ve so many ways to pull out reports and visibility is unlimited.
In Azure AAD IAM blade go to Sign-ins and filter by the following queries;
- Date: Last month
- Show dates as Local
- Add filter: Client apps
- Choose the below client apps
You can download any activities from Azure AD Sign-Ins logs to excel reports.
Azure AD Workbook – If configured Azure AD with Diagnostic log with Azure Log Analytics so you can work workbooks and create many reports based on Kusto (KQL) and based the default workbooks that you’ve inside the Azure AD Workbooks including the one for Sign-ins and Sign-ins using Legacy Authentication.
Azure Sentinel – if you’re working with Azure Sentinel you can do so many things to know the traffic for Basic authentication, such as run queries or work with Workbook and even run visualization with Notebook.
First thing first, you can run a simple query with the following Kusto script that shows your old protocol for Exchange Online.
The Kusto query location on my GitHub Sign-ins using Legacy Auth.kusto
Azure Sentinel Workbook – Once you enabled the Azure AD on Azure Sentinel you’ve by default a new Azure AD Sign-in logs Workbook that you can customize and pull out so many useful information.
The default Azure AD Sign-in Workbook includes a great view with useful data about who’s connecting and how to Azure AD.
the default Workbook doesn’t include a specific data for Basic Authentication so you can clone the existing one and edit with the relevant queries and graph.
Sign-ins using Legacy Authentication \ Make sure to add the Azure AD Tenant ID
Once we’ve so much information and data about Basic and Legacy Authentication we can move forward and change the configuration to Modern AUthentication.
Modern Authentication is based on OAuth 2.0 and the ADAL providing token-based authentication. OAuth 2.0, in this case, is the protocol being used, and ADAL is used to authenticate against Azure AD.
Modern authentication in Exchange Online enables authentication features like MFA using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.
When you enable modern authentication in Exchange Online, Windows-based Outlook clients that support modern authentication (Outlook 2013 or later) use modern authentication to connect to Exchange Online mailboxes.
When a client uses modern authentication, the client is redirected to Azure AD to authenticate and obtain an access token. This access token is then used by the client to gain access to Exchange Online.
Moden Authentication Notes for Exchange Online
- Modern authentication is enabled by default in Exchange Online, Skype for Business Online and SharePoint Online.
- For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online.
- Enabling or disabling modern authentication in Exchange Online only affects modern authentication connections by Windows-based Outlook clients that support modern authentication (Outlook 2013 or later).
- Enabling or disabling modern authentication in Exchange Online does not affect other email clients that support modern authentication.
- You should synchronize the state of modern authentication in Exchange Online with other Office 365 Services
Check for Modern Authentication
To check for Basic or Modern Authentication on Exchange Online is pretty simple and currently, you’ve so many ways to check the existing configuration.
The first way is to check with Office 365 Admin Center you can check for Modern Authentication from Settings > Modern Authentication.
The second way is to check if Modern Authentication is enabled is by using PowerShell, below an example on how to do this using Cloud Shell with the following commands:
Get-OrganizationConfig | Format-Table -Auto Name, OAuth*
The third way is to check with Exchange Online properties and with the specific command: Get-CasMailbox. For better security, it’s recommended disabling all unused protocol for all mailboxes
Besides Exchange Online there are other Office 365 Services such as SharePoint Online (SPO) and Skype for Business Online (SfBO) Online can be using Basic and Legacy authentication as well.
So, you might want to consider moving those Office 365 Services to Modern Authentication as well, and this is because you don’t want to be in a mixed situation when Exchange Online is Modern Authentication and SharePoint Online is with Basic Authentication, in this situation the user might receiving prompt for a password.
In a Short
To make a long story short, the Basic authentication will be OFF in October 13, 2020, and you might have a huge impact on your organization if your users and apps are still using Basic Authentication.
There is a chance that Microsoft will postpone the change if they determine that many Office 365 tenants have not made preparations, the switch will be performed soon.
So you should better be prepared for these changes. Start Today.