Forum Discussion

MVP

Oct 17, 2018

Block legacy auth in Exchange Online

Today Microsoft announced the release of a new feature intended to help you put an end to all those password spray attacks we've been seeing lately. Namely, the feature allows you to configure a poli...

exchange online

Anonymous

Oct 19, 2018

I'd love to disable basic auth in my org as we've had instances where a mailbox has become compromised using a basic auth attack, but as a 60k user base, we have a lot of legacy kit out there which just doesn't support modern auth.

Most users use Android too - and while we've explained they have the Outlook for Android app available some do prefer to use the native Android client.

One thing I was curious on though, using the article referenced in the announcement today, is that any different to disabling basic auth apps via a conditional access policy? As that would allow us to give the helpdesk staff targeted groups of users who we can disable for basic auth.

VasilMichev
MVP
Oct 20, 2018
It is different from CA, the feature works by blocking the request at the Exchange server layer, even before redirecting to the auth provider.
- Anonymous
  Oct 20, 2018
  Thanks for confirming
  
  Am I right in thinking the end result would be the same though? Basic auth'd blocked using CA would be the same as blocking it on EXO?
  - VasilMichev
    MVP
    Oct 21, 2018
    Yup, but one of the benefits you get from this method, apart from the greater granularity, is that blocked/failed (or god forbid successful) logins will not trigger the lockout windows, as the request never reaches Azure AD. With CA policies, the block happens after authentication, at that point the account is compromised.