Blog Post

Exchange Team Blog
3 MIN READ

Disabling Basic authentication in Exchange Online – Public Preview Now Available

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Oct 17, 2018
Several months ago we added a feature to the Microsoft 365 Roadmap which generated a lot of interest. The feature was named Disable Basic Authentication in Exchange Online using Authentication Polici...
Updated Jul 01, 2019
Version 2.0
announcements
exchange online
security
Deleted's avatar
Deleted
Oct 23, 2018
Hi everyone, just spent the last couple of days going through the documentation and implementing this.

I found multiple errors in the Powershell commands which held me up drastically. Here is what I ended up with, hopefully it will help others:

Create the authentication policy:

Set-AuthenticationPolicy -Identity "Block Basic Auth for Imap4/Pop3/Outlook Service(win10 apps)" -AllowBasicAuthActiveSync -AllowBasicAuthAutodiscover -AllowBasicAuthImap:$false -AllowBasicAuthMapi -AllowBasicAuthOfflineAddressBook -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthReportingWebServices -AllowBasicAuthRest -AllowBasicAuthRpc -AllowBasicAuthSmtp -AllowBasicAuthWebServices -AllowBasicAuthPowerShell

Configure the default authentication policy:

Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth for Imap4/Pop3/Outlook Service(win10 apps)"

Assign the authentication policy to users

Individual user accounts:

Set-User -Identity user@domain.com -AuthenticationPolicy "Block Basic Auth for Imap4/Pop3/Outlook Service(win10 apps)"

All user accounts (my own creation with Andy Davids powershell brain help):

$Users = Get-User -ResultSize unlimited

$users =$users.WindowsEmailAddress

$users | %{Set-User -Identity $_ -AuthenticationPolicy "Block Basic Auth for Imap4/Pop3/Outlook Service(win10 apps)"}

Immediately apply the authentication policy to users within 30 minutes (despite other websites saying it's only 24 hrs):

Individual user accounts:

Set-User -Identity user@domain.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

All user accounts (my own creation with Andy Davids powershell brain help):

$Users = Get-User -ResultSize unlimited

$users =$users.WindowsEmailAddress

$users | %{Set-User -Identity $_ -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)}

Note: The very last command underlined above to immediately apply to all users threw some weird errors for every user as it went through but it did change the -STSRefreshTokensValidFrom on each user so I think it worked.

To check it had assigned to users and was visible I ran this against few users:

Get-User -Identity "Display Name" | Format-List

Look through the output to find these entries:

AuthenticationPolicy : Block Basic Auth for Imap4/Pop3/Outlook Service(win10 apps)

StsRefreshTokensValidFrom : 23/10/2018 14:04:47

Next thing to do is work out how to see it actually working.....should be fun!!