Basic Authentication and Exchange Online – July Update

Great summary!, is there any plans to build a SMTP client that supports Modern Auth, something like Send-MailMessage? And will IIS SMTP Service also provide support for Modern Auth at some point? We have quite a number of IIS SMTP Instances around the global using basic auth to relay mails for internal applications, printers and other devices.

How about creating a specific web page showng all the information/updates/guidelines about moving from basic auth to modern auth?

These topics are already discussed in this Exchange Team Blog. But I realize that they are too scattered across multiple blogs and I have to go back and forth to have an overview on this matter.

we like to enable Modern authentication Only for Teams. Do you have the option

@The_Exchange_Team Please let us know when it will be pushed to the tenant. Still not available in our tenant. we have started deploying Teams and but that will be the good candidate to test with if we enable modern authentication only for Teams

Two questions here.

1. What happens if Authentication Polices are in use, but there is no default policy set?

2. How does this tie in with using Conditional Access Policies in Azure to block Basic Authentication?

I agree with @victorguo in creating a single page with the latest information on Modern Authentication, especially around the best way to disable it. There are multiple conflicting options to choose from and it is difficult to know which is best/preferred. For example, I have one tenant that uses Conditional Access Policies (because this seemed like the best way to do it from the documentation) and another that uses Authentication Policies (because they don't have Azure AD P1/P2 licenses).

Thanks for your consideration.

Hi,

There are issues with the OAuth V2 protocol with personal accounts (outlook.com / hotmail.com) when using the EWS API.

It seems like the access_token is not a valid JWT token as it should be, see here.

There is an active issue on GitHub since last year: https://github.com/OfficeDev/ews-managed-api/issues/229

I don't understand how this migration will work if the protocol does not yet support for personal accounts.

BTW - The official Microsoft Outlook email client is still using Basic Authentication with personal accounts.

To be clear, it does works with an Office365 account but not with outlook.com/hotmail.com accounts.

I hope to get an official answer to this issue.

Thanks.

Hi @Tonino Bruno,

There are no plans to create a Modern Auth command line-based SMTP Client.

Regarding, Windows SMTP Server on IIS, that product has been deprecated since Windows Server 2012 R2 and there has been no development on it for almost that long. It is being removed from future versions of Windows Server FYI.  

@victorguo This is something we have discussed and are considering.  Thank you for the feedback.

@Sankarasubramanian Parameswaran This new UI should be enabled for your tenant.  Teams utilizes Modern Authentication by default, but if you have a need to disable it for just Exchange you can do that from our new UI, though we certainly wouldn't recommend it.

@mikerocode 

- If your get-organizationconfig does not have a Default Authentication Policy defined, toggling and saving the options within the new UI will create a new default policy.

- When looking at Authentication Policies versus Conditional Access, you should consider these as complementary, although there is some overlap. Authentication Policies will block requests (for users we know) during the initial connection to Exchange Online, and before they reach Azure AD or your on-premises IdP. The benefit of this approach is that brute force or password spray attacks never reach the iDP.  Take a look at the diagrams and workflows here.  For customers utilizing Conditional Access, it provides exceptional control for those authentication requests that do make it beyond Exchange and into the organization. 

Hi, @Sean_Stevenson 

We are software developer and we are using some of the "web service (ASMX)" to work with the SharePoint service for my clients; as those components of SharePoint (e.g. WebParts, Metadata) cannot be supported by RESTFul APIs thus we would still be requiring a O365 user credential for integration.

We are just wondering for those O365 tenants with ZERO usage and as soon as their O365 organizations are enforced to disabling Basic Authentication by October 2020. Would the above mentioned "web service (ASMX) for sharepoint" be impacted?

If the above scenario will happen, can those "ZERO usage" O365 tenants / administrators re-enable the Basic Authentication in Azure AD or will there be other workaround for software developers to keep using the "web service (ASMX) for sharepoint" with O365 user credential (i.e. BASIC Authentication)? 

Appreciate your feedback. Thank you. 

@The_Exchange_Team  we have not switched on Modern authentication even we have Team client. My question related to the settings offered by Modern authentication, if i enable modern authentication and move with one by option and outlook will be the last. 

Start with active sync, Pop 3,imap,Exchange. Please let us know whether it will work

Hello,

@Sean_Stevenson any MS recommendations to replace IIS SMTP to connect on prem applications, printers, ... to O365?

Thanks for feedback

@ericng99 Sorry, I have no knowledge of Sharepoint endpoints. 

@Vincent VALENTIN We officially recommend having an Exchange Server on-premises to handle those applications or devices if they cannot submit emails directly to Exchange Online. Read more about it here: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-dev... 

If I modify the default authentication policy and disable all the basic authentication protocols using the "new available" GUI settings, I notice that AllowBasicAuthOutlookService and AllowBasicAuthReporingWebServices are still enabled in the created policy. 

Is there any specific reason for not including these settings in the GUI at this time? And if I block legacy authentication using a Conditional Access policy I assume that the two mentioned settings will be blocked? Is the effect of the CA policy the same of having a authentication policy where all AllowBasicAuth* settings are set to False/Disabled?

I've written down my experiences with phasing out Legacy authentication so far at my blog here, hoping to provide a central location for information related to this upcoming change. I'll try to keep it up to date as much as possible with my learnings over time. 

I'm trying to figure out to use modern auth and disable basic auth for all mailboxes but a few which still need to use SMTP with Basic Auth. The documentation is not clear about how to do that. It looks like I need to

1. Disable Security Defaults in Azure AD if they are enabled.
2. Set-TransportConfig -SmtpClientAuthenticationDisabled $false 
3. Use the new UI described here (or new/set-authenticationpolicy) to enable modern auth and disable basic auth for everything which will create/change the default authentication policy.
4. Create a second authentication policy via new-authenticationpolicy) which enables SMTP Basic Auth
5. Assign the second policy to the few mailboxes which still need SMTP basic auth via the set-user cmdlet and wait for 24h until the settings are a efffective. Or use set-user -StsRefreshtokenValidFrom $([Sytem.DateTime]::UtcNow)  to shorten that to 30 minutes.

Is there an easier way to achieve that?

Great write up only have one piece of feedback to share. I feel this change should have been better communicated in relation to what all will be affected when admin decides to make changes using the new Modern Auth policy UI.

I wasn't aware of any mention of MS Cloud team setting up Org wide Default Authentication policy in our tenant. I would of rather created my own Default Org policy prior to making changes via this new UI in the Modern Authentication section of Azure Portal.  I would send additional communication to bring more attention to the fact if you don't currently have Default Org policy making any changes to the protocols will create a new Default Org Policy and set as default when prior to that change there was no policy set.

I think it's great to see Microsoft Security team continuing to advance security in the environment as often as possible. I think it would be beneficial to include multiple notices in the O365 & Azure changes emails and include updates in the O365 message center to reduce the chance of admins not knowing a change has occurred because no notice was given when said changes were made via the modern authentication UI. 

We continue to see basic auth requirements for autodiscover for some hybrid migrations.
https://docs.microsoft.com/en-us/outlook/troubleshoot/authentication/outlook-prompt-password-modern-...

One issue we have had in the past is outlook clients on unmanaged devices where the reg key cannot be pushed automatically. Often users (if allowed... another topic completely!) install office and setup outlook on local unmanaged devices. Particularly during COVID!

As RPC is still supported on prem, if basic auth for autodiscover in EXO is disabled how will we be able to address these unmanaged devices other than letting them log a support ticket or trying to track these users. I have a headache already just thinking about it!

Any thoughts or workarounds would be much appreciated!

https://docs.microsoft.com/en-us/exchange/troubleshoot/accessing-email-data/rpc-over-http-end-of-sup...

The v2 module only contains 9 cmdlets if basic auth is turned off on the client machines.

I’ve experienced issues even using those 9 when basic auth is disabled locally. The cmdlets just hang there and never throw an error.

Do we have a timeline as to when the other 700 cmdlets will be available?

When EAS is disabled using the portal (as shown), it seems to shut down EAS entirely (including those using iPhones and modern authentication). What am I missing?

Hello!  And Happy New Year!

Is there any refinement of the date in the "disable Basic Authentication for the EAS, EWS, POP, IMAP, and RPS protocols in the second half of 2021" statement?

Thanks! 

@The_Exchange_Team we are planning to enable modern authentication and also enable Basic authentication and let us know if there will be any impact to this change. I believe until we enable conditional access enforced no impact to the users. Please clarify

Please let us know the new date for Basic authentication depreciation. 

@The_Exchange_Team 
As already anounced, Microsoft ins planning to disable BASIC Auth for EWS, IMAP, POP3, EAS, PowerShell in H2 2021.

Out Tenants have been created in mid of 2017.

Therefore no BASIC Auths for any protocols have been disabled yet.

When the Disable starts in H2 2021, will it utilizing the "Security Defaults"-Switch or the "Authentication Polices"?

Or is it another, general setting which cannot manymore be manipulated by the Tenant Admin.

I'm asking because I want to know if it's possible to use "Authentication Policies" to re-enable using Basic Auth (for example for IMAP Protocol) in one Tenant, even after it's official disablement.

Hello @The_Exchange_Team,

I'm also very interested in a more precise date range, please.

---

Is there any refinement of the date in the "disable Basic Authentication for the EAS, EWS, POP, IMAP, and RPS protocols in the second half of 2021" statement?

---

Thanks in advance.

@The_Exchange_Team  What will be the impact to the user if we enable both Modern and Basic ..whether users will notice any changes if they are using modern client

we want to understand the user behavior, based on the call with your team before they mentioned even you enable modern authentication there will be no impact until you enable conditional access policy to enforce the change. Please correct us if we are wrong

awesome information