Block legacy auth in Exchange Online

%3CLINGO-SUB%20id%3D%22lingo-sub-274640%22%20slang%3D%22en-US%22%3EBlock%20legacy%20auth%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-274640%22%20slang%3D%22en-US%22%3E%3CP%3EToday%20Microsoft%20announced%20the%20release%20of%20a%20new%20feature%20intended%20to%20help%20you%20put%20an%20end%20to%20all%20those%20password%20spray%20attacks%20we've%20been%20seeing%20lately.%20Namely%2C%20the%20feature%20allows%20you%20to%20configure%20a%20policy%20specifying%20which%20exact%20protocols%20to%20block%20legacy%20auth%20for%2C%20then%20apply%20this%20policy%20to%20some%20or%20all%20of%20your%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20the%20block%20happens%20on%20the%20Exchange%20backend%2C%20before%20even%20hitting%20Azure%20AD%20for%20authentication%2C%20the%20feature%20might%20be%20a%20bit%20tricky%20to%20troubleshoot%20if%20not%20correctly%20configured.%20Make%20sure%20to%20check%20the%20documentation%20for%20all%20the%20details%3A%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fdisable-basic-authentication-in-exchange-online-bba2059a-7242-41d0-bb3f-baaf7ec1abd7%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fdisable-basic-authentication-in-exchange-online-bba2059a-7242-41d0-bb3f-baaf7ec1abd7%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere's%20also%20the%20original%20announcement%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2018%2F10%2F17%2Fdisabling-basic-authentication-in-exchange-online-public-preview-now-available%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2018%2F10%2F17%2Fdisabling-basic-authentication-in-exchange-online-public-preview-now-available%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-274640%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292456%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20legacy%20auth%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292456%22%20slang%3D%22en-US%22%3E%3CP%3EI%20did%20this%20for%20our%20Exchange%20Online%20a%20week%20ago%20but%20have%20seen%20no%20reduction%20in%20these%20login%20attempts%20(see%20below)%2C%20which%20continue%20to%20pour%20in%20from%20places%20like%20China%2C%20as%20reported%20by%20the%20AAD%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%3F%26nbsp%3B%20Basic%20auth%20is%20disabled%20for%20all%20accounts%2C%20and%20it's%20definitely%20long%20since%20kicked%20in%2C%20since%20we've%20had%20several%20Apple%20users%20who've%20had%20to%20update%20their%20clients%20to%20login.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20suggest%20that%20hackers%20can%20be%20just%20as%20aggressive%20with%20modern%20auth%3F%26nbsp%3B%20Or%20that%20there's%20some%20piece%20of%20basic%20auth%20still%20around%20(aside%20from%20%22AllowBasicAuthLogExport%22)%3F%26nbsp%3B%20This%20feature%20is%20in%20Preview%2C%20after%20all.%3C%2FP%3E%3CDIV%20class%3D%22fxc-section-control%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EStatus%3A%26nbsp%3BFailure%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-section-control%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3ESign-in%20error%20code%3A%26nbsp%3B50053%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-section-control%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3EFailure%20reason%3A%26nbsp%3BAccount%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20with%20an%20incorrect%20user%20ID%20or%20password.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276134%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20legacy%20auth%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276134%22%20slang%3D%22en-US%22%3E%3CP%3EYup%2C%20but%20one%20of%20the%20benefits%20you%20get%20from%20this%20method%2C%20apart%20from%20the%20greater%20granularity%2C%20is%20that%20blocked%2Ffailed%20(or%20god%20forbid%20successful)%26nbsp%3Blogins%20will%20not%20trigger%20the%20lockout%20windows%2C%20as%20the%20request%20never%20reaches%20Azure%20AD.%20With%20CA%20policies%2C%20the%20block%20happens%20after%20authentication%2C%20at%20that%20point%20the%20account%20is%20compromised.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276022%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20legacy%20auth%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276022%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20confirming%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20right%20in%20thinking%20the%20end%20result%20would%20be%20the%20same%20though%3F%20Basic%20auth'd%20blocked%20using%20CA%20would%20be%20the%20same%20as%20blocking%20it%20on%20EXO%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276011%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20legacy%20auth%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276011%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20is%20different%20from%20CA%2C%20the%20feature%20works%20by%20blocking%20the%20request%20at%20the%20Exchange%20server%20layer%2C%20even%20before%20redirecting%20to%20the%20auth%20provider.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-275914%22%20slang%3D%22en-US%22%3ERe%3A%20Block%20legacy%20auth%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-275914%22%20slang%3D%22en-US%22%3E%3CP%3EI'd%20love%20to%20disable%20basic%20auth%20in%20my%20org%20as%20we've%20had%20instances%20where%20a%20mailbox%20has%20become%20compromised%20using%20a%20basic%20auth%20attack%2C%26nbsp%3B%20but%20as%20a%2060k%20user%20base%2C%20we%20have%20a%20lot%20of%20legacy%20kit%20out%20there%20which%20just%20doesn't%20support%20modern%20auth.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMost%20users%20use%20Android%20too%26nbsp%3B-%20and%20while%20we've%20explained%20they%20have%20the%20Outlook%20for%20Android%20app%20available%20some%20do%20prefer%20to%20use%20the%20native%20Android%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20thing%20I%20was%20curious%20on%20though%2C%20using%20the%20article%20referenced%20in%20the%20announcement%20today%2C%20is%20that%20any%20different%20to%20disabling%20basic%20auth%20apps%20via%20a%20conditional%20access%20policy%3F%20As%20that%20would%20allow%20us%20to%20give%20the%20helpdesk%20staff%20targeted%20groups%20of%20users%20who%20we%20can%20disable%20for%20basic%20auth.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
MVP

Today Microsoft announced the release of a new feature intended to help you put an end to all those password spray attacks we've been seeing lately. Namely, the feature allows you to configure a policy specifying which exact protocols to block legacy auth for, then apply this policy to some or all of your users.

 

As the block happens on the Exchange backend, before even hitting Azure AD for authentication, the feature might be a bit tricky to troubleshoot if not correctly configured. Make sure to check the documentation for all the details: https://support.office.com/en-us/article/disable-basic-authentication-in-exchange-online-bba2059a-72...

 

Here's also the original announcement: https://blogs.technet.microsoft.com/exchange/2018/10/17/disabling-basic-authentication-in-exchange-o...

5 Replies
Highlighted

I'd love to disable basic auth in my org as we've had instances where a mailbox has become compromised using a basic auth attack,  but as a 60k user base, we have a lot of legacy kit out there which just doesn't support modern auth.

 

Most users use Android too - and while we've explained they have the Outlook for Android app available some do prefer to use the native Android client.

 

One thing I was curious on though, using the article referenced in the announcement today, is that any different to disabling basic auth apps via a conditional access policy? As that would allow us to give the helpdesk staff targeted groups of users who we can disable for basic auth.

Highlighted

It is different from CA, the feature works by blocking the request at the Exchange server layer, even before redirecting to the auth provider.

Thanks for confirming

 

Am I right in thinking the end result would be the same though? Basic auth'd blocked using CA would be the same as blocking it on EXO?

Highlighted

Yup, but one of the benefits you get from this method, apart from the greater granularity, is that blocked/failed (or god forbid successful) logins will not trigger the lockout windows, as the request never reaches Azure AD. With CA policies, the block happens after authentication, at that point the account is compromised.

Highlighted

I did this for our Exchange Online a week ago but have seen no reduction in these login attempts (see below), which continue to pour in from places like China, as reported by the AAD portal.

 

Why?  Basic auth is disabled for all accounts, and it's definitely long since kicked in, since we've had several Apple users who've had to update their clients to login.

 

Does this suggest that hackers can be just as aggressive with modern auth?  Or that there's some piece of basic auth still around (aside from "AllowBasicAuthLogExport")?  This feature is in Preview, after all.

 
Status: Failure
Sign-in error code: 50053
Failure reason: Account is locked because user tried to sign in too many times with an incorrect user ID or password.