Information
Use Conditional Access to block legacy authentication protocols in Office 365.
Rationale:
Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.
Impact:
Enabling this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication.
Solution
To setup a conditional access policy to block legacy authentication, use the following steps:
Log in to https://admin.microsoft.com as a Global Administrator.
Go to Admin centers and click on Azure Active Directory.
Select Azure Active Directory then Security.
Select Conditional Access.
Create a new policy by selecting New policy.
Set the following conditions within the policy.
Select Conditions then Client apps enable the settings for and Exchange ActiveSync clients and other clients.
Under Access controls set the Grant section to Block access
Under Assignments enable All users
Under Assignments and Users and groups set the Exclude to be at least one low risk account or directory role. This is required as a best practice.
Default Value:
Legacy authentication is enabled by default.
Additional Information:
NOTE: For more granularity the following Audit/Remediation procedure could be utilized.
AUDIT
To verify basic authentication is disabled, use the Exchange Online PowerShell Module:
Run the Microsoft Exchange Online PowerShell Module.
Connect using Connect-ExchangeOnline.
Run the following PowerShell command:
Get-OrganizationConfig | Select-Object -ExpandProperty DefaultAuthenticationPolicy | ForEach { Get-AuthenticationPolicy $_ | Select-Object AllowBasicAuth* }
Verify each of the basic authentication types is set to false. If no results are shown or an error is displayed, then no default authentication policy has been defined for your organization.
Verify Exchange Online users are configured to use the appropriate authentication policy (in this case Block Basic Auth) by running the following PowerShell command:
Get-User -ResultSize Unlimited | Select-Object UserPrincipalName, AuthenticationPolicy
REMEDIATION
To disable basic authentication, use the Exchange Online PowerShell Module:
Run the Microsoft Exchange Online PowerShell Module.
Connect using Connect-ExchangeOnline.
Run the following PowerShell command:
*Note: If a policy exists and a command fails you may run Remove-AuthenticationPolicy first to ensure policy creation/application occurs as expected.
$AuthenticationPolicy = Get-OrganizationConfig | Select-Object DefaultAuthenticationPolicy
If (-not $AuthenticationPolicy.Identity) {
$AuthenticationPolicy = New-AuthenticationPolicy 'Block Basic Auth'
Set-OrganizationConfig -DefaultAuthenticationPolicy $AuthenticationPolicy.Identity
}
Set-AuthenticationPolicy -Identity $AuthenticationPolicy.Identity -AllowBasicAuthActiveSync:$false -AllowBasicAuthAutodiscover:$false -AllowBasicAuthImap:$false -AllowBasicAuthMapi:$false -AllowBasicAuthOfflineAddressBook:$false -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthPowershell:$false -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthRpc:$false -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices:$false
Get-User -ResultSize Unlimited | ForEach-Object { Set-User -Identity $_.Identity -AuthenticationPolicy $AuthenticationPolicy.Identity -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow) }