Disabling Legacy Authentication in Exchange Server 2019
Published Jun 21 2019 08:53 AM 57.2K Views

We are happy to announce our work to allow you to disable legacy authentication is available to you with the second cumulative update (CU2) for Exchange 2019. This provides an important step down the path of removing legacy authentication mechanisms from Exchange Hybrid deployments.

This feature is very similar to the functionality offered in Office 365 for Disabling Basic authentication.

Why is this feature important?

As you probably know, legacy authentication methods are less secure, are vulnerable to interception and are susceptible to brute-force and password spray attacks. If your organization has no legacy email clients or doesn’t want to allow legacy email clients, you can use these new Authentication Policies in your Exchange Hybrid environment to disable legacy authentication requests. This ensures only those clients that support Hybrid Modern Authentication can connect to Exchange Server.

What are ‘legacy’ authentication methods?

Exchange Server has been around for 23 years, so we’ve seen a lot of change over that time. We’ve had to support multiple authentication methods over this time, to keep in sync with clients and to allow simple migration. The following legacy authentication methods have historically been used to access Exchange servers, and it’s the removal of these were are interested in for the purposes of this feature and post.

  • Basic authentication
  • Digest authentication
  • Windows authentication (NTLM and Kerberos)

So what do you need to do to configure this new feature?

Pre-requisites

  1. Verify that Hybrid Modern Authentication is enabled and successfully working in your Exchange Hybrid environment.
  2. Verify that all of your email clients and apps support Modern Authentication. Clients that currently support Hybrid Modern Auth are listed below. It’s also really important to keep your clients up to date – no only does that ensure they get fixes for any issues we find, but it means they get the latest features and capabilities too.
  • Outlook 2013 or later (Outlook 2013 requires a registry key change)
  • Outlook 2016 for Mac or later
  • Outlook for iOS and Android
  • Mail for iOS 11.3.1 or later

Authentication Policies

You block legacy authentication in Exchange hybrid environments by creating authentication policies. Authentication policies define the client protocols where legacy authentication is blocked (all protocols or specific protocols, although we typically recommend blocking legacy authentication for all protocols).

After you create authentication policies, you assign them to users. Assigning a policy to users blocks their legacy authentication requests for the specified protocols. Note that for the policy to take effect, mailboxes must be on an Exchange 2019 CU2 server and connection to the mailbox cannot come through an older version of Exchange.

You manage all aspects of authentication policies in the Exchange Management Shell.

Supported Protocols and Services

The protocols and services in Exchange that you can block legacy authentication for are described in the following table.

Protocol or service

Description

Parameter name

Exchange Active Sync (EAS)

Used by some email clients on mobile devices.

BlockLegacyAuthActiveSync

Autodiscover

Used by Outlook and EAS clients to find and connect to mailboxes in Exchange

BlockLegacyAuthAutodiscover

IMAP

Used by IMAP email clients.

BlockLegacyAuthImap

MAPI over HTTP (MAPI/HTTP)

Used by Outlook 2013 and later.

BlockLegacyAuthMapi

Offline Address Book (OAB)

A copy of address list collections that are downloaded and used by Outlook.

BlockLegacyAuthOfflineAddressBook

POP3

Used by POP email clients.

BlockLegacyAuthPop

Outlook Anywhere (RPC over HTTP)

Used by Outlook 2016 and earlier.

BlockLegacyAuthRpc

Exchange Web Services (EWS)

A programming interface that’s used by Outlook, Outlook for Mac, and third-party apps.

BlockLegacyAuthWebServices

Typically, when you block legacy authentication for a user, we recommend that you block legacy authentication for all protocols. However, you can use the BlockLegacyAuth* parameters (switches) on the New-AuthenticationPolicy and Set-AuthenticationPolicy cmdlets to selectively allow or block legacy authentication for specific protocols.

Step 1: Create the Authentication Policy

To create a policy that blocks legacy authentication for the specified client protocol, use the New-AuthenticationPolicy cmdlet.

This example creates an authentication policy named “Block Legacy Auth” to block legacy authentication for all client protocols in Exchange 2019 (the recommended configuration).

 

New-AuthenticationPolicy -Name "Block Legacy Auth" -BlockLegacyAuthActiveSync -BlockLegacyAuthAutodiscover -BlockLegacyAuthImap -BlockLegacyAuthMapi -BlockLegacyAuthOfflineAddressBook -BlockLegacyAuthPop -BlockLegacyAuthRpc -BlockLegacyAuthWebServices

Step 2: Assign the authentication policy to users

The methods that you can use to assign authentication policies to users are:

Individual user accounts:

This example assigns the policy named Block Legacy Auth to the user account laura@contoso.com.

Set-User -Identity laura@contoso.com -AuthenticationPolicy "Block Legacy Auth"

Filter user accounts by attributes: This method requires that the user accounts all share a unique filterable attribute (for example, Title or Department) that you can use to identify the users.

This example assigns the policy named Block Legacy Auth to all user accounts whose Title attribute contains the value “Sales Associate”.

 

$SalesUsers = Get-User -ResultSize unlimited -Filter {(RecipientType -eq 'UserMailbox') -and (Title -like '*Sales Associate*')}
$Sales = $SalesUsers.SamAccountName
$Sales | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Legacy Auth"}

Use a list of specific user accounts: This method requires a text file to identify the user accounts. Values that don’t contain spaces (for example, the user principal name or UPN) work best. The text file must contain one user account on each line like this:

 

akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com

The syntax uses two commands (one to identify the user accounts, and the other to apply the policy to those users).

This example assigns the policy named Block Legacy Auth to the user accounts specified in the C:\My Documents\BlockLegacyAuth.txt file

 

$BLA = Get-Content "C:\My Documents\BlockLegacyAuth.txt"
$BLA | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Legacy Auth"}

Configure the default authentication policy

The default authentication policy is assigned to all users who don’t already have a specific policy assigned to them (a directly assigned policy takes precedence).

You can configure the default authentication policy for the organization, using the

Set-OrganizationConfig cmdlet.

This example below configures the authentication policy named “Block Legacy Auth” as the default policy.

 

Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Legacy Auth"

How does this feature work in practice?

The diagrams below illustrate how this feature works once a policy has been created and assigned.

 

 

Hybrid Modern Auth FlowHybrid Modern Auth Flow

 

Legacy Auth FlowLegacy Auth Flow

How do I view authentication policies?

To view a summary list of the names of all existing authentication policies, run the following command:

 

Get-AuthenticationPolicy | Format-Table -Auto Name

To view detailed information about a specific authentication policy, use this syntax:

Get-AuthenticationPolicy -Identity "Block Legacy Auth"

How do I remove authentication policies?

To remove the policy run the following command. Please note that it would take around one hour for policy to be removed after the command is executed.

To remove the policy for a particular user , say userA, use the following command.

 

Set-User userA -AuthenticationPolicy $null

To remove the policy for the Organization level , use the following command.

 

Set-OrganizationConfig -DefaultAuthenticationPolicy $null

Summary

You now have a way to block legacy authentication mechanisms for users in your Organisation so that they all can use Modern Authenticaion . We would love to hear your feedback. Please do leave us comments below.

Thank you,

The Exchange Team

 

43 Comments
Version history
Last update:
‎Jul 01 2019 04:37 PM
Updated by: