These are the topics most blogs post about, Tweeters tweet about and Microsoft warns about.
Talk about a panic attack. Of course this is very important stuff and you should disable basic auth, enable modern auth with MFA, and implement password protection.
But what if you have an application made in 1990 that requires basic auth to access your Exchange Online environment?
You can bypass the modern auth requirement with a policy that allows you to turn on basic auth for one specific user. 😎
All this is done in Exchange Online PowerShell;
Create a policy:
New-AuthenticationPolicy -Name "Allow Basic Auth for some ancient application"Specify what services are allowed to use basic auth:
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthWebServices:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthOutlookService:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthReportingWebServices:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthActiveSync:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthRest:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthPowershell:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthMapi:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthOfflineAddressBook:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthAutodiscover:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthRpc:$trueCheck the policy settings:
Get-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" | fl AllowBasicAuth*
AllowBasicAuthActiveSync : True AllowBasicAuthAutodiscover : True AllowBasicAuthImap : False AllowBasicAuthMapi : True AllowBasicAuthOfflineAddressBook : True AllowBasicAuthOutlookService : True AllowBasicAuthPop : False AllowBasicAuthReportingWebServices : True AllowBasicAuthRest : False AllowBasicAuthRpc : True AllowBasicAuthSmtp : False AllowBasicAuthWebServices : True AllowBasicAuthPowershell : TrueAs you can see in the example above we do not allow SMTP, POP and IMAP to use basic auth, but ofcourse you could by adding:
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthSmtp:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthImap:$true Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthPop:$trueThen grant a specific user the created policy:
Set-User -Identity LegacyUser -AuthenticationPolicy "Allow Basic Auth for some ancient application"And check if all went well:
Get-User -Identity LegacyUser | fl auth* AuthenticationPolicy : Allow Basic Auth for some ancient application Name : LegacyUser
To check all users with an authenticationpolicy assigned:
Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-User | Format-Table
DisplayName, AuthenticationPolicy, Sts*
Update:
I just found that if a user has the "Multi-factor Auth status" set to "Enforced", you need to set it to disabled here: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx
And there you have it, now that one user is able to use basic auth.
Document this properly as this does pose a security threat, and these little exceptions tend to be forgotten over time.