Block all the auths

%3CLINGO-SUB%20id%3D%22lingo-sub-730545%22%20slang%3D%22en-US%22%3EBlock%20all%20the%20auths%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-730545%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20-%20can%20someone%20please%20clarify%20and%20answer%20%2C%20where%20during%20authentication%20flow%2C%20are%20each%20of%20these%20security%20controls%20evaluated%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ESet-CASMailbox%20%24mailbox%26nbsp%3B%3CSPAN%20class%3D%22hljs-parameter%22%3E-PopEnabled%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22hljs-literal%22%3E%24false%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22hljs-literal%22%3ESet-CASMailboxPlan%20%3CSPAN%20class%3D%22hljs-parameter%22%3E-PopEnabled%3C%2FSPAN%3E%20%24false%2C%20applied%20to%20%24mailbox%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22hljs-literal%22%3ESet-ClientAccessRule%20-%3CSPAN%3EAnyOfProtocols%20POP3%20-AnyOfClientIPAddressesOrRanges%200.0.0.0%2F0%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22hljs-literal%22%3E%3CSPAN%3ESet-Mailbox%20%24mailbox%20-AuthenticationPolicy%20%22Block%20POP3%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3CUL%3E%3CLI%3E%3CSPAN%20class%3D%22hljs-literal%22%3E%3CSPAN%3Ewhere%20%22Block%20POP3%22%20%3D%20Set-AuthenticationPolicy%20%22Block%20POP3%22%20-AllowBasicAuthPop%20%24false%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22hljs-literal%22%3E%3CSPAN%3EA%20Conditional%20Access%20rule%20to%20block%20%22Other%20Clients%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%20class%3D%22hljs-literal%22%3E%3CSPAN%3EMy%20understanding%20is%26nbsp%3BSet-Mailbox%20%24mailbox%20-AuthenticationPolicy%20%22Block%20POP3%22%20is%20superior%20to%20the%20others%2C%20as%20it%20blocks%2Fdrops%20the%20request%20pre-authentication%2C%20while%20the%20others%20occur%26nbsp%3Bpost-authentication%2C%20which%20could%20lead%20to%20account%20lockout.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22hljs-literal%22%3E%3CSPAN%3EHowever%2C%20can%20someone%20who%20%3CSTRONG%3Eknows%3C%2FSTRONG%3E%2C%20take%20the%20time%20to%20describe%20with%20detail%20the%20authentication%20flow%20if%20one%20or%20all%20of%20these%20controls%20are%20in%20place%2C%20and%20when%20they%20are%20evaluated%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-730545%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-731949%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20all%20the%20auths%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-731949%22%20slang%3D%22en-US%22%3E%3CP%3ENone%20of%20the%20Exchange-related%20stuff%20you%20listed%20is%20evaluated%20during%20authentication%2C%20only%20conditional%20access%20policies%20and%2For%20the%20recently%20introduced%20auth%20policies%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-732837%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20all%20the%20auths%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-732837%22%20slang%3D%22en-US%22%3ERight..%20authentication%20vs%20authorisation%2C%20I%20get%20it%20-%20thank%20you!%3CBR%20%2F%3E%3CBR%20%2F%3EFollow%20on%2C%20so%20when%20is%20conditional%20access%20evaluated%3F%20After%20password%20evaluation%20first%20factor%20and%20just%20prior%20to%20the%20access%20token%20being%20passed%20back%20to%20the%20client%3F%3CBR%20%2F%3E%3CBR%20%2F%3ESomething%20like%20this%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAuthentication%3CBR%20%2F%3E-%20Client%20sends%20username%2Fpassword%20to%20EO%3CBR%20%2F%3E-%20EO%20evaluates%20AuthenticationPolicy%3CBR%20%2F%3E-%20EO%20passes%20request%20to%20AzureAD%3CBR%20%2F%3E-%20AzureAD%20evaluates%20username%2Fpassword%3CBR%20%2F%3E---%20user%20is%20now%20authenticated%20---%3CBR%20%2F%3E-%20Event%20is%20written%20to%20SignInLogs%3CBR%20%2F%3EAuthorisation%3CBR%20%2F%3E-%20AzureAD%20evaluates%20Conditional%20Access%20policies%3CBR%20%2F%3E-%20AzureAD%20passes%20request%20back%20to%20EO%3CBR%20%2F%3E-%20EO%20evaluates%20CAS%20Plan%20and%20Rules%3CBR%20%2F%3E-%20EO%20passes%20access%20token%20to%20client%3CBR%20%2F%3E%3CBR%20%2F%3E%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAnother%20follow%20on%20question.%20Given%20the%20new%20AuthenticationPolicy%20is%20evaluated%20pre%20auth%20is%20there%20any%20need%20to%20also%20block%20POP%2FIMAP%20etc%20in%20a%20CAS%20mailbox%20plan%2Frule%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733586%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20all%20the%20auths%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733586%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20was%20a%20document%20listing%20the%20order%20in%20which%20the%20different%20controls%20are%20executed%2C%20but%20I%20cannot%20seem%20to%20find%20it%20now.%20I'll%20circle%20back%20once%20I've%20had%20my%20caffeine%20dose%20for%20the%20day.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20answer%20the%20other%20question%2C%20with%20auth%20policy%20in%20place%20to%20block%20basic%20auth%20for%20POP%2FIMAP%2C%20you%20shouldn't%20need%20to%20block%20the%20protocol%20on%20per-mailbox%20level.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hey - can someone please clarify and answer , where during authentication flow, are each of these security controls evaluated?

 

  • Set-CASMailbox $mailbox -PopEnabled $false
  • Set-CASMailboxPlan -PopEnabled $false, applied to $mailbox
  • Set-ClientAccessRule -AnyOfProtocols POP3 -AnyOfClientIPAddressesOrRanges 0.0.0.0/0
  • Set-Mailbox $mailbox -AuthenticationPolicy "Block POP3"
    • where "Block POP3" = Set-AuthenticationPolicy "Block POP3" -AllowBasicAuthPop $false
  • A Conditional Access rule to block "Other Clients"

My understanding is Set-Mailbox $mailbox -AuthenticationPolicy "Block POP3" is superior to the others, as it blocks/drops the request pre-authentication, while the others occur post-authentication, which could lead to account lockout.

 

However, can someone who knows, take the time to describe with detail the authentication flow if one or all of these controls are in place, and when they are evaluated?

3 Replies

None of the Exchange-related stuff you listed is evaluated during authentication, only conditional access policies and/or the recently introduced auth policies: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

 

 

Right.. authentication vs authorisation, I get it - thank you!

Follow on, so when is conditional access evaluated? After password evaluation first factor and just prior to the access token being passed back to the client?

Something like this?

Authentication
- Client sends username/password to EO
- EO evaluates AuthenticationPolicy
- EO passes request to AzureAD
- AzureAD evaluates username/password
--- user is now authenticated ---
- Event is written to SignInLogs
Authorisation
- AzureAD evaluates Conditional Access policies
- AzureAD passes request back to EO
- EO evaluates CAS Plan and Rules
- EO passes access token to client

?

Another follow on question. Given the new AuthenticationPolicy is evaluated pre auth is there any need to also block POP/IMAP etc in a CAS mailbox plan/rule?

There was a document listing the order in which the different controls are executed, but I cannot seem to find it now. I'll circle back once I've had my caffeine dose for the day.

 

To answer the other question, with auth policy in place to block basic auth for POP/IMAP, you shouldn't need to block the protocol on per-mailbox level.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies