cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Allow access to basic authentication protocols

Tomas_S_
Occasional Contributor

‎Mar 30 2023 04:41 AM

‎Mar 30 2023 04:41 AM

Allow access to basic authentication protocols

I have disabled the basic/legacy authentication methods from M365 admin center.

If I run this command

Get-OrganizationConfig | Select-Object -ExpandProperty DefaultAuthenticationPolicy | ForEach { Get-AuthenticationPolicy $_ | Select-Object AllowBasicAuth* }

 I get the following results:
AllowBasicAuthActiveSync : False
AllowBasicAuthAutodiscover : False
AllowBasicAuthImap : False
AllowBasicAuthMapi : False
AllowBasicAuthOfflineAddressBook : False
AllowBasicAuthOutlookService : True
AllowBasicAuthPop : False
AllowBasicAuthReportingWebServices : True
AllowBasicAuthRest : False
AllowBasicAuthRpc : False
AllowBasicAuthSmtp : False
AllowBasicAuthWebServices : False
AllowBasicAuthPowershell : False

Why aren't AllowBasicAuthReportingWebService and AllowBasicAuthOutlookService blocked? Shouldn't they all be blocked? I went through our sign-in logs and noticed that hackers are trying in using AllowBasicAuthReportingWebServices.

Labels:
483 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎Mar 30 2023 09:50 AM

‎Mar 30 2023 09:50 AM

Re: Allow access to basic authentication protocols

That's something you (your tenant) is controlling via the corresponding Auth policy. The server-side controls are another layer on top of that, and only exposed via the BasicAuthBlockedApps property.
In any case, you can try toggling those off via Set-AuthenticationPolicy.
1 Like
Reply
eliekarkafy

‎Mar 30 2023 10:15 AM

‎Mar 30 2023 10:15 AM

Re: Allow access to basic authentication protocols

did you create a conditional access policy to block any legacy authentication to your tenant ?
0 Likes
Reply
best response confirmed by Vasil Michev (MVP)
Greg Taylor - EXCHANGE

‎Mar 30 2023 10:30 AM

‎Mar 30 2023 10:30 AM

Solution

Re: Allow access to basic authentication protocols

The UI in Admin Center doesn't set the policies for those protocols. You can only set those with PowerShell, and I'd suggest you do it. Just modify the parameters in your default auth policy and block them.

When we block basic auth at the tenant level, we don't use Auth Policies, so a protocol can be blocked, even if the Auth Policy says it's enabled.

For the two you call out, RWS and OutlookService - we're going to block those too in the coming weeks and months.
2 Likes
Reply
Tomas_S_

‎Mar 30 2023 09:15 PM

‎Mar 30 2023 09:15 PM

Re: Allow access to basic authentication protocols

@eliekarkafy 

Yes, we have a conditional access policy blocking legacy auth but I'm not sure if it's blocking these.

0 Likes
Reply
Tomas_S_

‎Mar 30 2023 09:16 PM

‎Mar 30 2023 09:16 PM

Re: Allow access to basic authentication protocols

Hi,
I will block those. Thank you.
0 Likes
Reply