SOLVED

Allow access to basic authentication protocols

Copper Contributor

I have disabled the basic/legacy authentication methods from M365 admin center.

If I run this command

Get-OrganizationConfig | Select-Object -ExpandProperty DefaultAuthenticationPolicy | ForEach { Get-AuthenticationPolicy $_ | Select-Object AllowBasicAuth* }

 I get the following results:
AllowBasicAuthActiveSync : False
AllowBasicAuthAutodiscover : False
AllowBasicAuthImap : False
AllowBasicAuthMapi : False
AllowBasicAuthOfflineAddressBook : False
AllowBasicAuthOutlookService : True
AllowBasicAuthPop : False
AllowBasicAuthReportingWebServices : True
AllowBasicAuthRest : False
AllowBasicAuthRpc : False
AllowBasicAuthSmtp : False
AllowBasicAuthWebServices : False
AllowBasicAuthPowershell : False

Why aren't AllowBasicAuthReportingWebService and AllowBasicAuthOutlookService blocked? Shouldn't they all be blocked? I went through our sign-in logs and noticed that hackers are trying in using AllowBasicAuthReportingWebServices.

5 Replies
That's something you (your tenant) is controlling via the corresponding Auth policy. The server-side controls are another layer on top of that, and only exposed via the BasicAuthBlockedApps property.
In any case, you can try toggling those off via Set-AuthenticationPolicy.
did you create a conditional access policy to block any legacy authentication to your tenant ?
best response confirmed by VI_Migration (Silver Contributor)
Solution
The UI in Admin Center doesn't set the policies for those protocols. You can only set those with PowerShell, and I'd suggest you do it. Just modify the parameters in your default auth policy and block them.

When we block basic auth at the tenant level, we don't use Auth Policies, so a protocol can be blocked, even if the Auth Policy says it's enabled.

For the two you call out, RWS and OutlookService - we're going to block those too in the coming weeks and months.

@eliekarkafy 

Yes, we have a conditional access policy blocking legacy auth but I'm not sure if it's blocking these.

Hi,
I will block those. Thank you.
1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution
The UI in Admin Center doesn't set the policies for those protocols. You can only set those with PowerShell, and I'd suggest you do it. Just modify the parameters in your default auth policy and block them.

When we block basic auth at the tenant level, we don't use Auth Policies, so a protocol can be blocked, even if the Auth Policy says it's enabled.

For the two you call out, RWS and OutlookService - we're going to block those too in the coming weeks and months.

View solution in original post