Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
For many years, ...
Updated Jul 09, 2024
Version 10.0
Blog Post
It's been 3+ months since this announcement, and still no comprehensive reporting tool to show affected users.
With lack of a reporting tool, we've been cobbling together reports in Sentinel, with data from AAD Sign-in logs and Exchange Mailbox Logon events from the Office audit log. Outside of IP, UPN and binning the timestamps to 60sec, there really isn't good way to correlate these logs together. This is unfortunate, since the Exchange logon events have far more detail (iOS version and HW identifiers) from the ClientInfoString.
As a higher ed institution, the spring semester is our best chance reach our faculty in-person to remediate their devices before summer break, particularly with a deadline for legacy auth that overlaps our fall back-to-school. I can't stress that we need comprehensive reporting on legacy auth, and we really needed it in November.
Sentinel Queries: https://github.com/chrisbues/kqlmagic/blob/master/legacyauth.kql