%3CLINGO-SUB%20id%3D%22lingo-sub-1551785%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551785%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20summary!%2C%20is%20there%20any%20plans%20to%20build%20a%20SMTP%20client%20that%20supports%20Modern%20Auth%2C%20something%20like%20Send-MailMessage%3F%20And%20will%20IIS%20SMTP%20Service%20also%20provide%20support%20for%20Modern%20Auth%20at%20some%20point%3F%20We%20have%20quite%20a%20number%20of%20IIS%20SMTP%20Instances%20around%20the%20global%20using%20basic%20auth%20to%20relay%20mails%20for%20internal%20applications%2C%20printers%20and%20other%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1551990%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551990%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20about%20creating%20a%20specific%20web%20page%20showng%20all%20the%20information%2Fupdates%2Fguidelines%20about%20moving%20from%20basic%20auth%20to%20modern%20auth%3F%3C%2FP%3E%3CP%3EThese%20topics%20are%20already%20discussed%20in%20this%20Exchange%20Team%20Blog.%20But%20I%20realize%20that%20they%20are%20too%26nbsp%3Bscattered%20across%20multiple%20blogs%20and%20I%20have%20to%20go%20back%20and%20forth%20to%20have%20an%20overview%20on%20this%20matter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1552045%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552045%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20like%20to%20enable%20Modern%20authentication%20Only%20for%20Teams.%20Do%20you%20have%20the%20option%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1552052%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552052%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3BPlease%20let%20us%20know%20when%20it%20will%20be%20pushed%20to%20the%20tenant.%20Still%20not%20available%20in%20our%20tenant.%20we%20have%20started%20deploying%20Teams%20and%20but%20that%20will%20be%20the%20good%20candidate%20to%20test%20with%20if%20we%20enable%20modern%20authentication%20only%20for%20Teams%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1553326%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1553326%22%20slang%3D%22en-US%22%3E%3CP%3ETwo%20questions%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20What%20happens%20if%20Authentication%20Polices%20are%20in%20use%2C%20but%20there%20is%20no%20default%20policy%20set%3F%3C%2FP%3E%3CP%3E2.%20How%20does%20this%20tie%20in%20with%20using%20Conditional%20Access%20Policies%20in%20Azure%20to%20block%20Basic%20Authentication%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572851%22%20target%3D%22_blank%22%3E%40victorguo%3C%2FA%3E%26nbsp%3Bin%20creating%20a%20single%20page%20with%20the%20latest%20information%20on%20Modern%20Authentication%2C%20especially%20around%20the%20best%20way%20to%20disable%20it.%20There%20are%20multiple%20conflicting%20options%20to%20choose%20from%20and%20it%20is%20difficult%20to%20know%20which%20is%20best%2Fpreferred.%20For%20example%2C%26nbsp%3BI%20have%20one%20tenant%20that%20uses%20Conditional%20Access%20Policies%20(because%20this%20seemed%20like%20the%20best%20way%20to%20do%20it%20from%20the%20documentation)%20and%20another%20that%20uses%20Authentication%20Policies%20(because%20they%20don't%20have%20Azure%20AD%20P1%2FP2%20licenses).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20consideration.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1530163%22%20slang%3D%22en-US%22%3EBasic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1530163%22%20slang%3D%22en-US%22%3E%3CP%3EToday%20we%20are%20pleased%20to%20announce%20some%20new%20changes%20to%20Modern%20Authentication%20controls%20in%20the%20Microsoft%20365%20Admin%20Center%2C%20exposing%20simpler%20options%20for%20customers%20to%20manage%20both%20Modern%20and%20Basic%20Authentication%20requirements%20within%20their%20organizations.%26nbsp%3B%20Available%20from%20within%20the%20Admin%20Center%20under%20Settings%20%26gt%3B%20Org%20Settings%20%26gt%3B%20Modern%20Authentication%20(alternatively%2C%20search%20for%20%E2%80%9CModern%20Authentication%E2%80%9D%20in%20portal%20Home%20page%20Search%20field)%2C%20customers%20may%20now%20quickly%20designate%20the%20protocols%20in%20their%20tenant%20that%20no%20longer%20require%20Basic%20Authentication%20to%20be%20enabled.%3C%2FP%3E%0A%3CP%3EWhile%20additional%20granularity%20is%20available%20through%20PowerShell%2C%20once%20Modern%20Authentication%20is%20enabled%20these%20new%20UI%20options%20will%20provide%20Administrators%20simpler%20controls%20to%20manage%20Basic%20Authentication%20access%20to%20common%20protocol%20combinations.%26nbsp%3B%20These%20new%20changes%2C%20rolling%20out%20to%20all%20tenants%2C%20align%20with%20our%20entry%20from%20the%20M365%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmicrosoft-365%2Froadmap%3Ffilters%3D%26amp%3Bsearchterms%3D65007%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERoadmap%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22modernauthjuly01.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208546iB128C84BDE7BFC9B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22modernauthjuly01.jpg%22%20alt%3D%22modernauthjuly01.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EBehind%20the%20scenes%2C%20these%20new%20Modern%20Auth%20UI%20options%20utilize%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%23authentication-policy-procedures-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAuthentication%20Policies%3C%2FA%3E.%26nbsp%3B%20For%20customers%20that%20have%20not%20created%20their%20own%20Authentication%20Policies%20in%20the%20past%2C%20modifying%20any%20of%20these%20selections%20in%20the%20new%20UI%20(POP3%20in%20the%20example%20below)%20will%20automatically%20create%20the%20first%20new%20Authentication%20Policy.%20This%20policy%20is%20visible%20only%20through%20PowerShell.%26nbsp%3B%20For%20advanced%20customers%20that%20may%20already%20be%20utilizing%20Authentication%20Policies%2C%20changes%20within%20the%20UI%20will%20modify%20their%20existing%20default%20policy.%26nbsp%3B%20You%E2%80%99ll%20want%20to%20look%20through%20your%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fnew-tools-to-block-legacy-authentication-in-your-organization%2Fba-p%2F1225302%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EAzure%20AD%20Sign-in%20logs%3C%2FA%3E%20to%20get%20a%20good%20idea%20of%20which%20protocols%20clients%20are%20using%20before%20making%20any%20changes.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22modernauthjuly02.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208547i467AEC673A80A37A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22modernauthjuly02.jpg%22%20alt%3D%22modernauthjuly02.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3EAdditional%20Information%3C%2FFONT%3E%3CBR%20%2F%3EWe%20realize%20there%20may%20be%20some%20confusion%20around%20different%20efforts%20Microsoft%20is%20making%20to%20provide%20more%20secure%20environments%20for%20our%20customers.%26nbsp%3B%20The%20easiest%20answer%20for%20customers%20who%20aren%E2%80%99t%20using%20Basic%20Authentication%2C%20and%20don%E2%80%99t%20have%20a%20complicated%20auth%20story%2C%20is%20to%20enable%20Security%20Defaults.%26nbsp%3B%20Otherwise%2C%20while%20the%20below%20isn%E2%80%99t%20an%20exhaustive%20list%2C%20we%20thought%20it%20would%20be%20a%20good%20idea%20to%20try%20to%20cover%20a%20few%20additional%20details%20here.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3E%3CU%3EModern%20vs.%20Basic%20Authentication%3C%2FU%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3A%3C%2FSTRONG%3E%26nbsp%3B%3C%2FEM%3E%20Hopefully%20by%20now%20we%20don%E2%80%99t%20need%20to%20expand%20upon%20the%20virtues%20of%20-ERR%3AREF-NOT-FOUND-Modern%20Authentication.%26nbsp%3B%20Enabled%20by%20default%20for%20all%20new%20tenants%20since%20August%201%2C%202017%2C%20Modern%20Auth%20is%20the%20superior%20alternative%20for%20all%20users%20and%20applications%20connecting%20to%20Office%20365.%26nbsp%3B%20If%20you%20haven%E2%80%99t%20turned%20Modern%20Authentication%20on%20yet%20we%20certainly%20recommend%20it.%26nbsp%3B%20Just%20be%20aware%20this%20switch%20affects%20all%20the%20Outlook%20for%20Windows%20clients%20in%20your%20entire%20tenant%2C%20so%20make%20sure%20you%20are%20clear%20on%20how%20it%20may%20affect%20your%20users.%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3E%3CU%3ESecurity%20Defaults%3C%2FU%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3A%3C%2FSTRONG%3E%26nbsp%3B%3C%2FEM%3E%20If%20your%20tenant%20was%20created%20on%20or%20after%20October%2022%2C%202019%2C%20it%20is%20possible%20that%20-ERR%3AREF-NOT-FOUND-Security%20Defaults%20are%20already%20enabled%20in%20your%20tenant.%20In%20an%20effort%20to%20provide%20basic%20level%20of%20security%2C%20Security%20Defaults%20are%20being%20rolled%20out%20to%20all%20newly%20created%20tenants.%26nbsp%3B%20Security%20Defaults%20block%20%3CSTRONG%3E%3CEM%3Eall%3C%2FEM%3E%3C%2FSTRONG%3E%20Legacy%2FBasic%20Authentication%20and%20enable%20Modern%2FMulti-Factor%20Authentication%20for%20all%20users.%26nbsp%3B%20We%20should%20clarify%20that%20Security%20Defaults%20are%20typically%20tailored%20for%20new%20customers%20or%20those%20who%20are%20new%20to%20managing%20their%20own%20security%20story.%26nbsp%3B%20While%20the%20end%20results%20are%20similar%2C%20Security%20Defaults%20do%20not%20utilize%20Exchange%20Authentication%20Policies%20under%20the%20hood.%26nbsp%3B%20Thus%2C%20to%20prevent%20overlap%20and%20confusion%2C%20we%20restrict%20the%20combination%20of%20these%20controls%20in%20the%20new%20Modern%20Auth%20UI.%20%26nbsp%3BIf%20Security%20Defaults%20are%20enabled%20in%20the%20organization%2C%20administrators%20attempting%20to%20use%20new%20Modern%20Auth%20UI%20will%20be%20presented%20with%20the%20following%20text.%26nbsp%3B%20(You%20should%20disable%20Security%20Defaults%20only%20if%20you%20understand%20the%20risks%20of%20using%20Basic%20Authentication.)%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22modernauthjuly03.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208548i89F45081EDBA9FA8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22modernauthjuly03.jpg%22%20alt%3D%22modernauthjuly03.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3E%3CU%3EAuthentication%20Policies%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSTRONG%3E%3CEM%3E%3A%26nbsp%3B%3C%2FEM%3E%26nbsp%3B%20%3C%2FSTRONG%3EAs%20announced%20-ERR%3AREF-NOT-FOUND-last%20year%2C%20the%20Exchange%20Team%20is%20planning%20to%20disable%20Basic%20Authentication%20for%20the%20EAS%2C%20EWS%2C%20POP%2C%20IMAP%2C%20and%20RPS%20protocols%20in%20the%20second%20half%20of%202021.%20As%20a%20point%20of%20clarity%2C%20Security%20Defaults%20and%20Authentication%20Policies%20are%20separate%2C%20but%20provide%20complementary%20features.%20We%20recommend%20that%20customers%20use%20Authentication%20Policies%20to%20turn%20off%20Basic%20Authentication%20for%20a%20subset%20of%20Exchange%20Online%20protocols%20or%20to%20gradually%20turn%20off%20Basic%20Authentication%20across%20a%20large%20organization.%20While%20more%20details%20will%20come%20in%20future%20announcements%2C%20as%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fbasic-authentication-and-exchange-online-april-2020-update%2Fba-p%2F1275508%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ementioned%20in%20April%3C%2FA%3E%2C%20we%20plan%20to%20begin%20disabling%20Basic%20Authentication%20in%20existing%20tenants%20with%20no%20recorded%20usage%20as%20early%20as%20October%202020.%26nbsp%3B%20We%20will%20provide%20notifications%20via%20Message%20Center%20posts%20before%20we%20disable%20Basic%20Authentication%20for%20any%20tenant.%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3E%3CU%3EClient%20SMTP%20Submission%20(SMTP%20AUTH)%3C%2FU%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3A%26nbsp%3B%20%3C%2FSTRONG%3E%3C%2FEM%3EWhile%20SMTP%20AUTH%20Basic%20Authentication%20will%20not%20be%20deprecated%2C%20the%20use%20of%20Basic%20Authentication%20within%20SMTP%20AUTH%20is%20still%20considered%20insecure.%26nbsp%3B%20There%20are%20multiple%20initiatives%20for%20SMTP%20AUTH%20that%20are%20worth%20calling%20out%2C%20and%20administrators%20should%20have%20familiarity%20with%20each%20of%20these%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAs%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fsecuring-authenticated-smtp-in-exchange-online%2Fba-p%2F1293154%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eannounced%20in%20April%3C%2FA%3E%2C%20we%20have%20additionally%20disabled%20SMTP%20AUTH%20for%20all%20new%20Office%20365%20tenants%20by%20utilizing%20the%20SmtpClientAuthenticationDisabled%20parameter%2C%20and%20we%E2%80%99ll%20be%20expanding%20this%20effort%20over%20the%20next%20several%20months.%26nbsp%3B%20If%20your%20tenant%20doesn%E2%80%99t%20need%20to%20use%20SMTP%20AUTH%20at%20all%2C%20this%20option%20allows%20the%20granularity%20to%20disable%20SMTP%20Auth%20for%20individual%20users%20via%20Set-CASMailbox%20or%20Set-TranportConfig%20for%20tenants.%26nbsp%3B%20Read%20more%20%5B%23%24dp3%5D%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fauthenticated-client-smtp-submission%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EFor%20customers%20that%20still%20require%20SMTP%20AUTH%2C%20we%E2%80%99ve%20got%20you%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fannouncing-oauth-2-0-support-for-imap-and-smtp-auth-protocols-in%2Fba-p%2F1330432%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ecovered%3C%2FA%3E%2C%20with%20new%20options%20for%20implementing%20OAuth%202.0%20for%20client%20applications.%20After%20updating%20your%20SMTP%20AUTH%20clients%2C%20please%20make%20sure%20you%20block%20legacy%20authentication%20methods%20via%20one%20of%20the%20following%3A%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20Defaults%3C%2FA%3E%20(which%20as%20mentioned%20covers%20all%20protocols%20including%20SMTP%20AUTH)%20if%20enabled%20will%20block%20Basic%20Authentication%20access%20to%20SMTP%20AUTH%20for%20all%20end%20users%20within%20a%20tenant.%26nbsp%3B%20Security%20Defaults%20is%20being%20rolled%20out%20as%20default%20for%20all%20new%20tenants%20and%20is%20the%20recommended%20action%20if%20it%20works%20for%20your%20organization.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%23authentication-policy-procedures-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAuthentication%20Policies%3C%2FA%3E%2C%20either%20via%20PowerShell%20or%20the%20new%20UI%20announced%20here%20today%2C%20can%20also%20block%20Basic%20Authentication%20access%20to%20SMTP%20AUTH%20for%20all%20or%20groups%20of%20users.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3E%3CU%3EExchange%20Online%20PowerShell%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSTRONG%3E%3CEM%3E%3A%3C%2FEM%3E%26nbsp%3B%20%3C%2FSTRONG%3E-ERR%3AREF-NOT-FOUND-As%20we%20announced%20recently%2C%20Exchange%20Online%20PowerShell%20V2%20module%20is%20now%20fully%20released%20and%20this%20is%20what%20you%20should%20use%20to%20connect%20using%20Modern%20Authentication.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmodern-auth-and-unattended-scripts-in-exchange-online-powershell%2Fba-p%2F1497387%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EWe%20have%20also%20recently%20announced%3C%2FA%3E%20the%20preview%20program%20which%20will%20allow%20you%20to%20run%20PowerShell%20scripts%20with%20Modern%20Authentication%20(using%20certificates).%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20any%20feedback%2C%20please%20let%20us%20know%20in%20the%20comments%20below.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EThe%20Exchange%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1530163%22%20slang%3D%22en-US%22%3E%3CP%3EToday%20we%20are%20pleased%20to%20announce%20some%20new%20changes%20to%20Modern%20Authentication%20controls%20in%20the%20Microsoft%20365%20Admin%20Center%2C%20exposing%20simpler%20options%20for%20customers%20to%20manage%20both%20Modern%20and%20Basic%20Authentication%20requirements%20within%20their%20organizations.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1530163%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eall%20posts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EClient%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1556166%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1556166%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20issues%20with%20the%20OAuth%20V2%20protocol%20with%20personal%20accounts%20(outlook.com%20%2F%20hotmail.com)%20when%20using%20the%20EWS%20API.%3C%2FP%3E%3CP%3EIt%20seems%20like%20the%20access_token%20is%20not%20a%20valid%20JWT%20token%20as%20it%20should%20be%2C%20%3CA%20href%3D%22https%3A%2F%2Fmonosnap.com%2Ffile%2Fyd7uHNFJRMFxHFy8J6jqYckGiy8uEr%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esee%20here.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20an%20active%20issue%20on%20GitHub%20since%20last%20year%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOfficeDev%2Fews-managed-api%2Fissues%2F229%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FOfficeDev%2Fews-managed-api%2Fissues%2F229%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20understand%20how%20this%20migration%20will%20work%20if%20the%20protocol%20does%20not%20yet%20support%20for%20personal%20accounts.%3C%2FP%3E%3CP%3EBTW%20-%20The%20official%20Microsoft%20Outlook%20email%20client%20is%20still%20using%20Basic%20Authentication%20with%20personal%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20be%20clear%2C%20it%20does%20works%20with%20an%20Office365%20account%20but%20not%20with%20outlook.com%2Fhotmail.com%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20to%20get%20an%20official%20answer%20to%20this%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1559569%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1559569%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3045%22%20target%3D%22_blank%22%3E%40Tonino%20Bruno%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20no%20plans%20to%20create%20a%20Modern%20Auth%20command%20line-based%20SMTP%20Client.%3C%2FP%3E%0A%3CP%3ERegarding%2C%20Windows%20SMTP%20Server%20on%20IIS%2C%20that%20product%20has%20been%20deprecated%20since%20Windows%20Server%202012%20R2%20and%20there%20has%20been%20no%20development%20on%20it%20for%20almost%20that%20long.%20It%20is%20being%20removed%20from%20future%20versions%20of%20Windows%20Server%20FYI.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1559644%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1559644%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572851%22%20target%3D%22_blank%22%3E%40victorguo%3C%2FA%3E%26nbsp%3BThis%20is%20something%20we%20have%20discussed%20and%20are%20considering.%26nbsp%3B%20Thank%20you%20for%20the%20feedback.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40284%22%20target%3D%22_blank%22%3E%40Sankarasubramanian%20Parameswaran%3C%2FA%3E%26nbsp%3BThis%20new%20UI%20should%20be%20enabled%20for%20your%20tenant.%26nbsp%3B%20Teams%20utilizes%20Modern%20Authentication%20by%20default%2C%20but%20if%20you%20have%20a%20need%20to%20disable%20it%20for%20just%20Exchange%20you%20can%20do%20that%20from%20our%20new%20UI%2C%20though%20we%20certainly%20wouldn't%20recommend%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F743702%22%20target%3D%22_blank%22%3E%40mikerocode%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20If%20your%20get-organizationconfig%20does%20not%20have%20a%20Default%20Authentication%20Policy%20defined%2C%20toggling%20and%20saving%20the%20options%20within%20the%20new%20UI%20will%20create%20a%20new%20default%20policy.%3C%2FP%3E%0A%3CP%3E-%20When%20looking%20at%20Authentication%20Policies%20versus%20Conditional%20Access%2C%20you%20should%20consider%20these%20as%20complementary%2C%20although%20there%20is%20some%20overlap.%20Authentication%20Policies%20will%20block%20requests%20(for%20users%20we%20know)%20during%20the%20initial%20connection%20to%20Exchange%20Online%2C%20and%20before%20they%20reach%20Azure%20AD%20or%20your%20on-premises%20IdP.%20The%20benefit%20of%20this%20approach%20is%20that%20brute%20force%20or%20password%20spray%20attacks%20never%20reach%20the%20iDP.%26nbsp%3B%20Take%20a%20look%20at%20the%20diagrams%20and%20workflows%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%26nbsp%3B%26nbsp%3BFor%20customers%20utilizing%20Conditional%20Access%2C%20it%20provides%20exceptional%20control%20for%20those%20authentication%20requests%20that%20do%20make%20it%20beyond%20Exchange%20and%20into%20the%20organization.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1564199%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1564199%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20software%20developer%20and%20we%20are%20using%20some%20of%20the%20%22web%20service%20(ASMX)%22%20to%20work%20with%20the%20SharePoint%20service%20for%20my%20clients%3B%20as%20those%20components%20of%20SharePoint%20(e.g.%20WebParts%2C%20Metadata)%20cannot%20be%20supported%20by%20RESTFul%20APIs%20thus%20we%20would%20still%20be%20requiring%20a%20O365%20user%20credential%20for%20integration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20just%20wondering%20for%20those%20O365%20tenants%20with%20ZERO%20usage%20and%20as%20soon%20as%20their%20O365%20organizations%20are%20enforced%20to%26nbsp%3B%3CSPAN%3Edisabling%20Basic%20Authentication%20by%20October%202020.%20Would%20the%20above%20mentioned%20%22%3C%2FSPAN%3Eweb%20service%20(ASMX)%20for%20sharepoint%3CSPAN%3E%22%20be%20impacted%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20the%20above%20scenario%20will%20happen%2C%20can%20those%20%22ZERO%20usage%22%20O365%20tenants%20%2F%20administrators%26nbsp%3Bre-enable%20the%26nbsp%3BBasic%20Authentication%20in%20Azure%20AD%20or%20will%20there%20be%20other%20workaround%20for%20software%20developers%20to%20keep%20using%20the%20%22web%20service%20(ASMX)%20for%20sharepoint%22%20with%20O365%20user%20credential%20(i.e.%20BASIC%20Authentication)%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAppreciate%20your%20feedback.%20Thank%20you.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1570856%22%20slang%3D%22en-US%22%3ERe%3A%20Basic%20Authentication%20and%20Exchange%20Online%20%E2%80%93%20July%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1570856%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%20we%20have%20not%20switched%20on%20Modern%20authentication%20even%20we%20have%20Team%20client.%20My%20question%20related%20to%20the%20settings%20offered%20by%20Modern%20authentication%2C%20if%20i%20enable%20modern%20authentication%20and%20move%20with%20one%20by%20option%20and%20outlook%20will%20be%20the%20last.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStart%20with%20active%20sync%2C%20Pop%203%2Cimap%2CExchange.%20Please%20let%20us%20know%20whether%20it%20will%20work%3C%2FP%3E%3C%2FLINGO-BODY%3E

Today we are pleased to announce some new changes to Modern Authentication controls in the Microsoft 365 Admin Center, exposing simpler options for customers to manage both Modern and Basic Authentication requirements within their organizations.  Available from within the Admin Center under Settings > Org Settings > Modern Authentication (alternatively, search for “Modern Authentication” in portal Home page Search field), customers may now quickly designate the protocols in their tenant that no longer require Basic Authentication to be enabled.

While additional granularity is available through PowerShell, once Modern Authentication is enabled these new UI options will provide Administrators simpler controls to manage Basic Authentication access to common protocol combinations.  These new changes, rolling out to all tenants, align with our entry from the M365 Roadmap.

modernauthjuly01.jpg

Behind the scenes, these new Modern Auth UI options utilize Authentication Policies.  For customers that have not created their own Authentication Policies in the past, modifying any of these selections in the new UI (POP3 in the example below) will automatically create the first new Authentication Policy. This policy is visible only through PowerShell.  For advanced customers that may already be utilizing Authentication Policies, changes within the UI will modify their existing default policy.  You’ll want to look through your Azure AD Sign-in logs to get a good idea of which protocols clients are using before making any changes.

modernauthjuly02.jpg

Additional Information
We realize there may be some confusion around different efforts Microsoft is making to provide more secure environments for our customers.  The easiest answer for customers who aren’t using Basic Authentication, and don’t have a complicated auth story, is to enable Security Defaults.  Otherwise, while the below isn’t an exhaustive list, we thought it would be a good idea to try to cover a few additional details here. 

Modern vs. Basic Authentication:  Hopefully by now we don’t need to expand upon the virtues of Modern Authentication.  Enabled by default for all new tenants since August 1, 2017, Modern Auth is the superior alternative for all users and applications connecting to Office 365.  If you haven’t turned Modern Authentication on yet we certainly recommend it.  Just be aware this switch affects all the Outlook for Windows clients in your entire tenant, so make sure you are clear on how it may affect your users.

Security Defaults:  If your tenant was created on or after October 22, 2019, it is possible that Security Defaults are already enabled in your tenant. In an effort to provide basic level of security, Security Defaults are being rolled out to all newly created tenants.  Security Defaults block all Legacy/Basic Authentication and enable Modern/Multi-Factor Authentication for all users.  We should clarify that Security Defaults are typically tailored for new customers or those who are new to managing their own security story.  While the end results are similar, Security Defaults do not utilize Exchange Authentication Policies under the hood.  Thus, to prevent overlap and confusion, we restrict the combination of these controls in the new Modern Auth UI.  If Security Defaults are enabled in the organization, administrators attempting to use new Modern Auth UI will be presented with the following text.  (You should disable Security Defaults only if you understand the risks of using Basic Authentication.)

modernauthjuly03.jpg

Authentication Policies  As announced last year, the Exchange Team is planning to disable Basic Authentication for the EAS, EWS, POP, IMAP, and RPS protocols in the second half of 2021. As a point of clarity, Security Defaults and Authentication Policies are separate, but provide complementary features. We recommend that customers use Authentication Policies to turn off Basic Authentication for a subset of Exchange Online protocols or to gradually turn off Basic Authentication across a large organization. While more details will come in future announcements, as mentioned in April, we plan to begin disabling Basic Authentication in existing tenants with no recorded usage as early as October 2020.  We will provide notifications via Message Center posts before we disable Basic Authentication for any tenant.

Client SMTP Submission (SMTP AUTH)While SMTP AUTH Basic Authentication will not be deprecated, the use of Basic Authentication within SMTP AUTH is still considered insecure.  There are multiple initiatives for SMTP AUTH that are worth calling out, and administrators should have familiarity with each of these:

  • As announced in April, we have additionally disabled SMTP AUTH for all new Office 365 tenants by utilizing the SmtpClientAuthenticationDisabled parameter, and we’ll be expanding this effort over the next several months.  If your tenant doesn’t need to use SMTP AUTH at all, this option allows the granularity to disable SMTP Auth for individual users via Set-CASMailbox or Set-TranportConfig for tenants.  Read more here.
  • For customers that still require SMTP AUTH, we’ve got you covered, with new options for implementing OAuth 2.0 for client applications. After updating your SMTP AUTH clients, please make sure you block legacy authentication methods via one of the following:
  • Security Defaults (which as mentioned covers all protocols including SMTP AUTH) if enabled will block Basic Authentication access to SMTP AUTH for all end users within a tenant.  Security Defaults is being rolled out as default for all new tenants and is the recommended action if it works for your organization.
  • Authentication Policies, either via PowerShell or the new UI announced here today, can also block Basic Authentication access to SMTP AUTH for all or groups of users. 

Exchange Online PowerShell:  As we announced recently, Exchange Online PowerShell V2 module is now fully released and this is what you should use to connect using Modern Authentication. We have also recently announced the preview program which will allow you to run PowerShell scripts with Modern Authentication (using certificates).

If you have any feedback, please let us know in the comments below.

The Exchange Team

10 Comments
Senior Member

Great summary!, is there any plans to build a SMTP client that supports Modern Auth, something like Send-MailMessage? And will IIS SMTP Service also provide support for Modern Auth at some point? We have quite a number of IIS SMTP Instances around the global using basic auth to relay mails for internal applications, printers and other devices.

Senior Member

How about creating a specific web page showng all the information/updates/guidelines about moving from basic auth to modern auth?

These topics are already discussed in this Exchange Team Blog. But I realize that they are too scattered across multiple blogs and I have to go back and forth to have an overview on this matter.

Frequent Contributor

we like to enable Modern authentication Only for Teams. Do you have the option

Frequent Contributor

@The_Exchange_Team Please let us know when it will be pushed to the tenant. Still not available in our tenant. we have started deploying Teams and but that will be the good candidate to test with if we enable modern authentication only for Teams

Occasional Visitor

Two questions here.

 

1. What happens if Authentication Polices are in use, but there is no default policy set?

2. How does this tie in with using Conditional Access Policies in Azure to block Basic Authentication?

 

I agree with @victorguo in creating a single page with the latest information on Modern Authentication, especially around the best way to disable it. There are multiple conflicting options to choose from and it is difficult to know which is best/preferred. For example, I have one tenant that uses Conditional Access Policies (because this seemed like the best way to do it from the documentation) and another that uses Authentication Policies (because they don't have Azure AD P1/P2 licenses).

 

Thanks for your consideration.

Occasional Visitor

Hi,

 

There are issues with the OAuth V2 protocol with personal accounts (outlook.com / hotmail.com) when using the EWS API.

It seems like the access_token is not a valid JWT token as it should be, see here.

 

There is an active issue on GitHub since last year: https://github.com/OfficeDev/ews-managed-api/issues/229

 

I don't understand how this migration will work if the protocol does not yet support for personal accounts.

BTW - The official Microsoft Outlook email client is still using Basic Authentication with personal accounts.

 

To be clear, it does works with an Office365 account but not with outlook.com/hotmail.com accounts.

 

I hope to get an official answer to this issue.

 

Thanks.

Microsoft

Hi @Tonino Bruno,

 

There are no plans to create a Modern Auth command line-based SMTP Client.

Regarding, Windows SMTP Server on IIS, that product has been deprecated since Windows Server 2012 R2 and there has been no development on it for almost that long. It is being removed from future versions of Windows Server FYI.  

 

Microsoft

@victorguo This is something we have discussed and are considering.  Thank you for the feedback.

 

@Sankarasubramanian Parameswaran This new UI should be enabled for your tenant.  Teams utilizes Modern Authentication by default, but if you have a need to disable it for just Exchange you can do that from our new UI, though we certainly wouldn't recommend it.

 

@mikerocode 

- If your get-organizationconfig does not have a Default Authentication Policy defined, toggling and saving the options within the new UI will create a new default policy.

- When looking at Authentication Policies versus Conditional Access, you should consider these as complementary, although there is some overlap. Authentication Policies will block requests (for users we know) during the initial connection to Exchange Online, and before they reach Azure AD or your on-premises IdP. The benefit of this approach is that brute force or password spray attacks never reach the iDP.  Take a look at the diagrams and workflows here.  For customers utilizing Conditional Access, it provides exceptional control for those authentication requests that do make it beyond Exchange and into the organization. 

Senior Member

Hi,

 

We are software developer and we are using some of the "web service (ASMX)" to work with the SharePoint service for my clients; as those components of SharePoint (e.g. WebParts, Metadata) cannot be supported by RESTFul APIs thus we would still be requiring a O365 user credential for integration.

 

We are just wondering for those O365 tenants with ZERO usage and as soon as their O365 organizations are enforced to disabling Basic Authentication by October 2020. Would the above mentioned "web service (ASMX) for sharepoint" be impacted?

 

If the above scenario will happen, can those "ZERO usage" O365 tenants / administrators re-enable the Basic Authentication in Azure AD or will there be other workaround for software developers to keep using the "web service (ASMX) for sharepoint" with O365 user credential (i.e. BASIC Authentication)? 

 

Appreciate your feedback. Thank you. 

Frequent Contributor

@The_Exchange_Team  we have not switched on Modern authentication even we have Team client. My question related to the settings offered by Modern authentication, if i enable modern authentication and move with one by option and outlook will be the last. 

 

Start with active sync, Pop 3,imap,Exchange. Please let us know whether it will work