Security: O365 – did you remember to disable legacy authentication before October 13, 2020?

Office 365 Splash

Microsoft retiring basic authentication

If you have kept up to date with the many announcements around 365 – spesifically Exchange Online, from Microsoft, you may remember that they announced that end of support for basic authentication were coming to various parts of Exchange Online in 365.
Subscribers of O/M365 should move to using modern authentication, as this is more secure and gives alot of other benefits.
The said date for this change was set to October 13 2020, and the statement was made September 20 2019 and can be found here.

This goes for the following components of Exchange Online:

  • Exchange Web Services (EWS)
  • Exchange Active Sync (EAS)
  • Post Office Protocol (POP)
  • Internet Message Access Protocol (IMAP)
  • Remote PowerShell (RPS)

So, did you ?
If you did not get around to doing this, you still have some time left.

Due to the ongoing COVID-19 crisis this date has been moved, and is now set for the second half of 2021.
Updated statement for this released by Microsoft, can be found in the April update here, and more details also in the July update here.

So how do you deal with this, and how can you monitor whether users or apps in your organization are using basic authentication?
What is the difference on the two, and why should you care?
I will try to cover this with this post.

Basic authentication VS Modern authentication

So, what is the difference on these two ways of user authentication for Exchange Online?

Legacy/basic authentication

Legacy authentication refers to protocols that use basic authentication.

In short, basic/legacy authentication means that the application will send the username and password each time a request is made to Exchange Online.
Exchange Online will then forward the authentication request to Azure Active Directory (AAD) or other identity provider (IdP) – like Active Directory Federation Services (ADFS) or similar. This uses simple HTTP login methods. Since this is sent with every request, this also means the attack surface is bigger, and therefore this form of authentication is more vulnerable to brute force or password spray attacks. And that is something we don’t want to happen for neither our users, nor our organization.

Several legacy protocols don’t support multi-factor authentication (MFA). MFA is in many environments a common requirement to address identity theft.
Even if you have an MFA policy enabled on your directory, a bad actor can authenticate using a legacy protocol and bypass MFA. 
Therefore, for MFA to be effective, you also need to block legacy authentication. This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI cannot enforce MFA, making them preferred entry points for attacks on your organization, and its users.

Just for reference, here are som attack numbers from Microsoft in regards to basic authentication:
Numbers are from an analysis of Azure Active Directory  (AAD)

  • More than 99 % of password spray attacks use legacy authentication protocols
  • More than 97 % of credential stuffing attacks use legacy authentication
  • Azure AD accounts in organizations that have disabled legacy authentication experience 67 % fewer compromises than those where legacy authentication is enabled

Basic authentication may still be enabled on your tenant if your 365 tenant was created before August 1, 2017.

The following options are considered legacy authentication protocols

  • Authenticated SMTP – Used by POP and IMAP client’s to send email messages.
  • Autodiscover – Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
  • Exchange ActiveSync (EAS) – Used to connect to mailboxes in Exchange Online.
  • Exchange Online PowerShell – Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.
  • Exchange Web Services (EWS) – A programming interface that’s used by Outlook, Outlook for Mac, and third-party apps.
  • IMAP4 – Used by IMAP email clients.
  • MAPI over HTTP (MAPI/HTTP) – Used by Outlook 2010 and later.
  • Offline Address Book (OAB) – A copy of address list collections that are downloaded and used by Outlook.
  • Outlook Anywhere (RPC over HTTP) – Used by Outlook 2016 and earlier.
  • Outlook Service – Used by the Mail and Calendar app for Windows 10.
  • POP3 – Used by POP email clients.
  • Reporting Web Services – Used to retrieve report data in Exchange Online.
  • Other clients – Other protocols identified as utilizing legacy authentication.

Can you check if you are using basic authentication? Yes you can.

1: It is visible when you add the account to your Outlook client/mail app
If you see the following when you add your mail account to your client, it is using basic authentication

2: You can check the connection status for Outlook
Hold CTRL and right click the Outlook tray icon, choose Connection Status and you’ll see all the connections Outlook has to Office 365. ‘Bearer*’ means Modern Auth – ‘Clear*’ means Basic Auth. 




Example shows Basic auth is enabled

If you see Basic Auth being used by the client, it might be because Modern Auth is disabled in your tenant.
If your 365 tenant was created before August 1, 2017, that may be the reason for this.
Tenants created after this date have modern authentication enabled and available by default.

Modern authentication

Modern Authentication is based on OAuth 2.0 and the Active Directory Authentication Library (ADAL) providing token based authentication. OAuth 2.0 in this case is the protocol being used, and ADAL is used to authenticate against Azure AD.
In use, this means that the user, when trying to access a resourse, gets prompted for their login. This login is then used to obtain a token that gives them access to said resource – without giving the resource to the resource in question. When the token has been obtained, the token gets offered to the resource as proof of identity and access. This token is valid for a set amount of time before it gets renewed. Using some form of authentication – i.e header, GET, Post or a cookie in some kind – the resource can verify what level of acces the request will be given.

Modern authentication is enabled by default for 365 tenants created after August 1 2017.
For tenants created after October 2020, Basic/Legacy authentication – is also disabled by default.

Sett inn illustrasjon her

Can you check if you are using modern authentication? Yes you can.

1: It is visible when you add the account to your Outlook client/mail app
If you see the following when you add your mail account to your client, it is using modern authentication

2: You can check the connection status for Outlook
Hold CTRL and right click the Outlook tray icon, choose Connection Status and you’ll see all the connections Outlook has to Office 365. ‘Bearer*’ means Modern Auth – ‘Clear*’ means Basic Auth. 




Example shows Modern auth is enabled

If you see Basic Auth being used by the client, it might be because Modern Auth is disabled in your tenant.
If your 365 tenant was created before August 1, 2017, that may be the reason for this.
Tenants created after this date have modern authentication enabled and available by default.

How to monitor and disable legacy authentication in your tenant

1: Checking of basic authentication is enabled for exchange online on your tenant

To check if basic authentication is enabled you can connect to exchange online with powershell, and run the following command.
Info can also be found at Microsoft here.

# Connect to Exchange Online
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session -DisableNameChecking

# Verify status
 - If status for OAuth2Client is false, modern auth is disabled on your tenant, meaning you probably are using legacy auth
    Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

# End session
    Remove-PSSession $Session

Checking of basic authentication is enabled for Sharepoint online on your tenant
This can be displayed using the Get-SPOTenant commandlet in PowerShell. The first one is OfficeClientADALDisabled, which when set to true specifies that Modern Authentication is disabled. The second one, LegacyAuthProtocolsEnabled, when set to True this enables Office clients using non-modern authentication protocols (such as, Forms-Based Authentication (FBA) or Identity Client Runtime Library (IDCRL)) to access SharePoint resources.

# connect to sharepoint online
    Connect-SPOService -Uri https://sometenant.sharepoint.com

# check config
    #Look for status of OfficeClientADALDisabled =False  (Means modern auth is off)
    #Look for status of LegacyAuthProtocolIsEnabled = True (Means basic auth is on)

    Get-SPOTenant

2: Azure AD Sign-In Report

Head over to the Azure portal for your tenant, go to Azure Active Directory.
Click on sign-ins in the left menu, click columns and check the mark for Client app, then click ok.


Now you can add a filter, Client app (then apply), and then a new dialog will allow you to pick the client app(s) to view. 
To view Basic Auth connections you should select everything except Browser and Mobile Apps and Desktop Clients.
When non-browser clients are using Modern Auth they will be placed into the Mobile Apps and Desktop Clients group.

You should now see a list of sign-in activities, leveraging legacy authentication.
If you click on any of the lines, you’ll see more information.

3: Enableling modern authentication for your tenant

First som general information on this part of the process.
As stated before, Modern auth should be enabled on your tenant by default – if you subscribed after August 1, 2017.
This is not the same as saying you are good to go and don’t need to change anything.
Reason for this is that even though modern authentication is enabled, there is a good chance that basic authentication also still is enabled.

Before you go ahead and activate modern authentication, and blocking legacy authentication, make sure you have mapped out how this will affect your users/organization. Check the logs for sign-in activities using legacy authentication as stated previously before you flip the final switch.

Some key notes:

  • For Windows-based Outlook clients to use modern authentication, Exchange Online must be modern authentication enabled as well. If modern authentication is disabled for Exchange Online, Windows-based Outlook clients that support modern authentication (Outlook 2013 or later) will use basic authentication to connect to Exchange Online mailboxes.
  • If you are using Office 2013 Windows clients or older, recommendation is to upgrade to Office 2016 or laterm to get support for modern authentication.
  • When you enable modern authentication in Exchange Online, Windows-based Outlook clients that support modern authentication (Outlook 2013 or later) use modern authentication to connect to Exchange Online mailboxes – though Outlook 2013 requires a registry change for this.
  • SharePoint Online is enabled for modern authentication default. For directories created after August 1, 2017, modern authentication is enabled by default in Exchange Online.
  • Modern authentication is enabled by default in Exchange Online, Skype for Business Online, and SharePoint Online.
  • Enabling or disabling modern authentication in Exchange Online as described in this topic only affects modern authentication connections by Windows-based Outlook clients that support modern authentication (Outlook 2013 or later).
  • Enabling or disabling modern authentication in Exchange Online as described in this topic does not affect other email clients that support modern authentication (for example, Outlook Mobile, Outlook for Mac 2016, and Exchange ActiveSync in iOS 11 or later). These other email clients always use modern authentication to log in to Exchange Online mailboxes.
  • Enabling or disabling modern authentication has no effect on IMAP or POP3 clients. However, if you’ve enabled security defaults in your organization, POP3 and IMAP4 are already disabled in Exchange Online.
    What are security defaults?.
  • When you enable modern authentication in Exchange Online, Windows-based Outlook clients that support modern authentication will be prompted to log in again. Further, the Basic Auth login dialog box and the Modern Auth dialog box look very different (See Basic VS Modern section in this post). 
  • You should synchronize the state of modern authentication in Exchange Online with Skype for Business Online to prevent multiple log in prompts in Skype for Business clients.
    For instructions, see Skype for Business Online: Enable your tenant for modern authentication.
  • A user with multiple accounts configured in their Outlook profile might receive an error when they try to connect to their mailbox. For more information, see KB 4516672
  • Applications on your mobile device need to block legacy authentication as well. Recommendation is to use Outlook for Mobile.
    Outlook for Mobile supports modern authentication by default and will satisfy other MFA baseline protection policies.
  • In order to use the native iOS mail client, you will need to be running iOS version 11.0 or later to ensure the mail client has been updated to block legacy authentication.

How to enable modern authentication and disable legacy

Option 1: You can enable this from the 365 admin center as follows:

Head over to the 365 admin center, here.
Head to : Settings-> Org settings -> Modern authentication-> check the mark to enable modern authentication on the top->hit save.
(If you also wish to disable legacy at this point, you can remove the checkmark(s) of your choice, shown in the yellow area below)


Option 2: Enable modern authentication for Exchange Online via powershell

# Enable or disable modern authentication for Outlook in Exchange Online
        # Source https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

# Connect to Exchange Online
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session -DisableNameChecking

# Enable modern auth
    Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

# Verify status
    Get-OrganizationConfig | Format-Table Name,OAuth* -Auto

# End session
    Remove-PSSession $Session

Enable modern authentication for Skype for Business via powershell
Instructions can be found here.

# Connect to Skype for Business Online using remote PowerShell: https://aka.ms/SkypePowerShell

# Run the following command to enable modern authentication
    Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Verify that the change was successful by running the following:
    Get-CsOAuthConfiguration

Block legacy authentication to Azure AD with Conditional Access

A good practice here is to enable a policy that blocks legacy authentication, and setting the policy to report only for a defined period.
You can then check the logs for how this policy would impact the users when it is turned to enabled.
This is a good step, to make sure you have made everything ready for this change before flipping the switch.

Good information on interpeting the results can be found here.

To make the policy:

The following steps will help create a Conditional Access policy to block legacy authentication requests. This policy is put in to Report-only mode to start so administrators can determine the impact they will have on existing users. When administrators are comfortable that the policy applies as they intend, they can switch to On or stage the deployment by adding specific groups and excluding others.

  1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users and groups
    1. Under Include, select All users.
    2. Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication. Exclude at least one account to prevent yourself from being locked out. If you do not exclude any account, you will not be able to create this policy.
    3. Select Done.
  6. Under Cloud apps or actions, select All cloud apps.
    1. Select Done.
  7. Under Conditions > Client apps, set Configure to Yes.
    1. Check only the boxes Exchange ActiveSync clients and Other clients.
    2. Select Done.
  8. Under Access controls > Grant, select Block access.
    1. Select Select.
  9. Confirm your settings and set Enable policy to Report-only.
  10. Select Create to create to enable your policy.

Check back in a couple of days or longer, to see the status for the conditional access policy.
This will give you insight if there still are clienst/apps triggering the policy on basic authentication.

End notes

We will continue to disable Basic Authentication for newly created tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage starting October 2020. 

Sources

https://www.techrepublic.com/article/getting-ready-for-the-end-of-basic-authentication-in-exchange-web-services/
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication
https://developer.microsoft.com/en-us/office/blogs/deferred-end-of-support-date-for-basic-authentication-in-exchange-online/
https://developer.microsoft.com/en-us/office/blogs/microsoft-365-pnp-weekly-episode-98/
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-july-update/ba-p/1530163
https://techcommunity.microsoft.com/t5/exchange-team-blog/improving-security-together/ba-p/805892
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-auth-and-exchange-online-february-2020-update/ba-p/1191282
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
https://www.vansurksum.com/2020/03/01/microsoft-is-going-to-disable-basic-legacy-authentication-for-exchange-online-what-does-that-actually-mean-and-does-that-impact-me/


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.