If you havent heard already, Microsoft is taking huge steps to improve the overall security in Exchange Online and Office 365 by disabling basic authentication for legacy authentication protocols therein lies the question of “how” to prepare and shift your organization to adopting modern authentication protocols.
In the second half of 2021, Microsoft had planned to disable basic auth for five (5) exchange online protocols: EAS, EWS, POP, IMAP, and RPS. The latest update provided in Feb 2021, Microsoft added additional protocols to the scope to be disabled. The full list includes: EWS, EAS, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH and OAB.
Microsoft provided very alarmaing metrics, wherein disabling legacy authenication reduces 99% of security risk with account compromise. Most accounts compromised identified by Microsoft Data Scuentust shows they did not have MFA enabled. For MFA to be effective, legacy authentication protocols will need to be blocked or disabled.
Summary:
- Basic Auth is not being disabled for any protocols for existing tenant if they are actively being used.
- Starting October 2020, MS will begin disabling Basic Auth if there is no record of use.
- Newly created tenants by default will have Basic Auth disabled.
- 12 months notice before blocking Basic Auth on any protocol in your tenant.
- Notification will be posted via Message Center before MS disable Basic Authentication for any tenant.
- Protocols in scope for Basic Auth to be disabled: EWS, EAS, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH and OAB.
What are legacy authentication protocols
The following options are considered legacy authentication protocols
- Authenticated SMTP – Used by POP and IMAP clients to send email messages.
- Autodiscover – Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
- Exchange ActiveSync (EAS) – Used to connect to mailboxes in Exchange Online.
- Exchange Online PowerShell – Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.
- Exchange Web Services (EWS) – A programming interface that’s used by Outlook, Outlook for Mac, and third-party apps.
- IMAP4 – Used by IMAP email clients.
- MAPI over HTTP (MAPI/HTTP) – Used by Outlook 2010 and later.
- Offline Address Book (OAB) – A copy of address list collections that are downloaded and used by Outlook.
- Outlook Anywhere (RPC over HTTP) – Used by Outlook 2016 and earlier.
- Outlook Service – Used by the Mail and Calendar app for Windows 10.
- POP3 – Used by POP email clients.
- Reporting Web Services – Used to retrieve report data in Exchange Online.
- Other clients – Other protocols identified as utilizing legacy authentication.
Identifying legacy authentication use:
The following steps walks you though identifying accounts still using legacy auth
- Navigate to the Azure portal > Azure Active Directory > Sign-ins.
- Add the Client App column if it is not shown by clicking on Columns > Client App.
- Add filters > Client App > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.
- If you have activated the new sign-in activity reports preview, repeat the above steps also on the User sign-ins (non-interactive) tab.
What options do I have to transition from exchange protocols from Basic Auth to Modern Auth?
Let’s be honest, not all vendors and developers currently support modern authentication flows. The alternative, modern authentication, will reduce your security risk, because it supports multi-factor authentication and Conditional Access.
Modern authentication is an umbrella term for a combination of authentication and authorization methods that include:
- Authentication methods: Multi-factor Authentication (MFA); Client Certificate-based authentication.
- Authorization methods: Microsoft’s implementation of Open Authorization (OAuth).
- Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access
Planning and addressing Legacy Auth in your environment:
- Identify Applications (Script) using Legacy Auth (Gather the data)
- Identify the owners of the Applications
- Investigate how the application works
- Verify Legacy Auth is being used and what API/Protocol it is using
- Identify if there is support Modern Auth, update or inquire with the application developers or providers to update.
- Propose a exception to policy. What is the rationale, app, user or group, and who is signing off on these?
The first step is identifying the application, if it is an interactive or non-interactive application. The key difference between interactive and non-interative is if there is “user interaction”. A script is considered a non-interactiove applicat, it can have “access” granted, however cannot run in the context of the user when access resources on a tenant.
What options do we have?
Graph API
allow access without a user in addition to access on behalf of a user, enable granular permissions and let administrators scope such access to a specific set of mailboxes.
How do I set this up?
- Get access without a userhttps://docs.microsoft.com/en-us/graph/auth-v2-service
- Get access on behalf of a user
- https://docs.microsoft.com/en-us/graph/auth-v2-user
- Permissions
- https://docs.microsoft.com/en-us/graph/permissions-reference
- Limiting mailbox access:
- https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access
Modern Auth and Unattended Scripts in Exchange Online PowerShell V2
References:
Block legacy authentication
OAuth 2.0 support for IMAP and SMTP AUTH protocols
July 2020 Update – Microsoft
February 2021 Update – Microsoft
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-february-2021-update/ba-p/2111904
