Detections
Analytics
4.9 Ensure basic authentication for Exchange Online is disabled
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Basic authentication may allow users to access Exchange Online using legacy or unapproved email clients that do not support modern authentication mechanisms, such as multifactor authentication.Rationale:
Disabling basic authentication prevents use of legacy and unapproved email clients with weaker authentication mechanisms that would increase the risk of email account credential compromise.
Impact:
Blocking basic authentication will block the following legacy Exchange Online features:
App passwords: An app password is a code that gives an app or device permission to access your Microsoft 365 account. If multi-factor authentication is enabled for your organization and you're using apps that connect to your Microsoft 365 account, you'll need to generate an app password so the app can connect to Microsoft 365. For example, if you're using Outlook 2016 or earlier with Microsoft 365, an app password is required.
Availability address spaces: These contain a service account that's used to share calendar free/busy information in hybrid and federated deployments. The service account authenticates with a username and password, so blocking Basic authentication blocks the authentication flow.
Blocking basic authentication may also be accomplished via other methods such as conditional access.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To disable basic authentication, use the Exchange Online PowerShell Module:Run the Microsoft Exchange Online PowerShell Module.
Connect using Connect-ExchangeOnline.
Run the following PowerShell command:
*Note: If a policy exists and a command fails you may run Remove-AuthenticationPolicy first to ensure policy creation/application occurs as expected.
$AuthenticationPolicy = Get-OrganizationConfig | Select-Object DefaultAuthenticationPolicy
If (-not $AuthenticationPolicy.Identity) {
$AuthenticationPolicy = New-AuthenticationPolicy 'Block Basic Auth';
Set-OrganizationConfig -DefaultAuthenticationPolicy $AuthenticationPolicy.Identity
}
Set-AuthenticationPolicy -Identity $AuthenticationPolicy.Identity -AllowBasicAuthActiveSync:$false -AllowBasicAuthAutodiscover:$false -AllowBasicAuthImap:$false -AllowBasicAuthMapi:$false -AllowBasicAuthOfflineAddressBook:$false -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthPowershell:$false -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthRpc:$false -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices:$false
Get-User -ResultSize Unlimited | ForEach-Object { Set-User -Identity $_.Identity -AuthenticationPolicy $AuthenticationPolicy.Identity -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow) }
Default Value:
false
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L2 v1.3.0
References: CSCv7|7, CSCv7|16.3
Plugin: microsoft_azure
Control ID: 22a864367e3b708f09f3bee45d5612cc2c4e955b5adc1536b90ee053285767a6