Forum Discussion

Tomas_S_'s avatar
Tomas_S_
Copper Contributor
Mar 30, 2023

Allow access to basic authentication protocols

I have disabled the basic/legacy authentication methods from M365 admin center.

If I run this command

Get-OrganizationConfig | Select-Object -ExpandProperty DefaultAuthenticationPolicy | ForEach { Get-AuthenticationPolicy $_ | Select-Object AllowBasicAuth* }

 I get the following results:
AllowBasicAuthActiveSync : False
AllowBasicAuthAutodiscover : False
AllowBasicAuthImap : False
AllowBasicAuthMapi : False
AllowBasicAuthOfflineAddressBook : False
AllowBasicAuthOutlookService : True
AllowBasicAuthPop : False
AllowBasicAuthReportingWebServices : True
AllowBasicAuthRest : False
AllowBasicAuthRpc : False
AllowBasicAuthSmtp : False
AllowBasicAuthWebServices : False
AllowBasicAuthPowershell : False

Why aren't AllowBasicAuthReportingWebService and AllowBasicAuthOutlookService blocked? Shouldn't they all be blocked? I went through our sign-in logs and noticed that hackers are trying in using AllowBasicAuthReportingWebServices.

  • The UI in Admin Center doesn't set the policies for those protocols. You can only set those with PowerShell, and I'd suggest you do it. Just modify the parameters in your default auth policy and block them.

    When we block basic auth at the tenant level, we don't use Auth Policies, so a protocol can be blocked, even if the Auth Policy says it's enabled.

    For the two you call out, RWS and OutlookService - we're going to block those too in the coming weeks and months.
  • The UI in Admin Center doesn't set the policies for those protocols. You can only set those with PowerShell, and I'd suggest you do it. Just modify the parameters in your default auth policy and block them.

    When we block basic auth at the tenant level, we don't use Auth Policies, so a protocol can be blocked, even if the Auth Policy says it's enabled.

    For the two you call out, RWS and OutlookService - we're going to block those too in the coming weeks and months.
    • Tomas_S_'s avatar
      Tomas_S_
      Copper Contributor
      Hi,
      I will block those. Thank you.
  • did you create a conditional access policy to block any legacy authentication to your tenant ?
    • Tomas_S_'s avatar
      Tomas_S_
      Copper Contributor

      eliekarkafy 

      Yes, we have a conditional access policy blocking legacy auth but I'm not sure if it's blocking these.

  • That's something you (your tenant) is controlling via the corresponding Auth policy. The server-side controls are another layer on top of that, and only exposed via the BasicAuthBlockedApps property.
    In any case, you can try toggling those off via Set-AuthenticationPolicy.

Resources