Pages

Thursday, 14 May 2020

Connect to Exchange Online to check whether Modern Authentication is enabled or not?

Connect to Exchange Online to check whether Modern Authentication is enabled or not?

Microsoft is going to disable basic/legacy authentication for Exchange Online. What does that actually mean and does that impact me?

Update: On April 30, the Exchange Team announced that OAuth 2.0 authentication for IAMP and SMTP AUTH protocols is now available. In order to leverage this functionality mail clients need to start using it (so they need an update)
On March 7, 2018 the Microsoft Exchange Team announced that on October 13, 2020 it would stop the support for Basic Authentication (also called Legacy authentication) for Exchange Web Services (EWS) in Exchange Online (EXO), the version of Exchange offered as a service part of Office 365. EWS is a web service which can be used by client applications to access the EXO environment. The team also announced that EWS would not receive any feature updates anymore, and suggests customers to transition towards using Microsoft Graph to access EXO.
One and a half year later, on November 20, 2019 the Exchange Team also announced to stop supporting Basic Authentication for Exchange ActiveSync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP) and Remote PowerShell on October 13 2020 as well. Authenticated Simple Mail Transfer Protocol (SMTP) will stay supported when used with Basic Authentication.
Instead of supporting Basic/Legacy authentication Microsoft will move towards only supporting Modern Authentication for most of the methods used to connect to Exchange Online.

So what is this Legacy/Basic and Modern Authentication exactly?

When using Basic/Legacy Authentication application sends a username and password with every request to Exchange Online which either forwards the credentials towards Azure AD or a federated authentication provider like Active Directory Federation Services (ADFS). The problem with Basic/Legacy authentication is that it’s vulnerable to brute force or password spray attacks.
Modern Authentication is based on OAuth 2.0 and the Active Directory Authentication Library (ADAL) providing token based authentication. OAuth 2.0 in this case is the protocol being used, and ADAL is used to authenticate against Azure AD.
The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource – without using their username and password. Once their token has been obtained, the user can offer the token – which offers access to a specific resource for a time period – to the remote site. Using some form of authentication: a header, GET or POST request, or a cookie of some kind, the site can then determine what level of access the request in question should be afforded.
So Microsoft wants you to move towards Modern Authentication since it’s a more secure solution. Another big advantage of using Modern Authentication is that it can leverage Azure AD Conditional Access, giving you the option to force MFA for users among other options. See my blogpost series on Azure AD Conditional Access for more information about implementing Conditional Access..

How can I check whether Modern Authentication is enabled or not?

If your tenant was created after August 1, 2017 Modern Authentication is turned on by default, that does not mean that in the meantime someone disabled Modern Authentication of course.
The easiest way to check if Modern Authentication is enabled is by looking in the Microsoft 365 Admin Center. Once in the  Admin Center go to Settings -> Settings – > Modern Authentication. Here you can check if Modern authentication is enabled.

Powershell Command to check whether Modern Authentication is enabled or not?

Connect to Exchange Online 

using elevated PowerShell command run the following:

$UserCredential = Get-Credential

In the Windows PowerShell Credential Request dialog box, type your work or school account and password, and then click OK.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

Get-OrganizationConfig | ft name, *OAuth*

Name                     OAuth2ClientProfileEnabled
----                     --------------------------
****365.onmicrosoft.com                      False

Important Note
Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.

Remove-PSSession $Session

No comments:

Post a Comment