19 April 2019

Enable Basic Authentication for one user - Exchange Online

Disable basic authentication, password spray attack, enable MFA, enable modern authentication now!!
These are the topics most blogs post about, Tweeters tweet about and Microsoft warns about.
Talk about a panic attack. Of course this is very important stuff and you should disable basic auth, enable modern auth with MFA, and implement password protection.

But what if you have an application made in 1990 that requires basic auth to access your Exchange Online environment?

You can bypass the modern auth requirement with a policy that allows you to turn on basic auth for one specific user. 😎

All this is done in Exchange Online PowerShell;
Create a policy:
New-AuthenticationPolicy -Name "Allow Basic Auth for some ancient application"
Specify what services are allowed to use basic auth:
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthWebServices:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthOutlookService:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthReportingWebServices:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthActiveSync:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthRest:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthPowershell:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthMapi:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthOfflineAddressBook:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthAutodiscover:$true             
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthRpc:$true
Check the policy settings:
Get-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" | fl AllowBasicAuth*
AllowBasicAuthActiveSync           : True            
AllowBasicAuthAutodiscover         : True            
AllowBasicAuthImap                 : False            
AllowBasicAuthMapi                 : True            
AllowBasicAuthOfflineAddressBook   : True            
AllowBasicAuthOutlookService       : True            
AllowBasicAuthPop                  : False            
AllowBasicAuthReportingWebServices : True            
AllowBasicAuthRest                 : False            
AllowBasicAuthRpc                  : True            
AllowBasicAuthSmtp                 : False            
AllowBasicAuthWebServices          : True            
AllowBasicAuthPowershell           : True
As you can see in the example above we do not allow SMTP, POP and IMAP to use basic auth, but ofcourse you could by adding:
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthSmtp:$true            
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthImap:$true            
Set-AuthenticationPolicy -Identity "Allow Basic Auth for some ancient application" -AllowBasicAuthPop:$true
Then grant a specific user the created policy:
Set-User -Identity LegacyUser -AuthenticationPolicy "Allow Basic Auth for some ancient application"
And check if all went well:
Get-User -Identity LegacyUser | fl auth*            
AuthenticationPolicy : Allow Basic Auth for some ancient application
Name                 : LegacyUser
To check all users with an authenticationpolicy assigned:
Get-Recipient -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Get-User | Format-Table
DisplayName, AuthenticationPolicy, Sts*
Update:
I just found that if a user has the "Multi-factor Auth status" set to "Enforced", you need to set it to disabled here: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx

And there you have it, now that one user is able to use basic auth.
Document this properly as this does pose a security threat, and these little exceptions tend to be forgotten over time.

7 comments:

  1. Anonymous24/4/20 08:49

    Thanks a lot :)

    ReplyDelete
  2. Thanks for sharing. Works a charm :)

    ReplyDelete
  3. Great article! Will this work even if the newer 365 "Security Defaults" Global Settings are enabled, or not? Hopefully so :) Thanks!!

    ReplyDelete
  4. Fantastic. This resolved the SMTP Modern Auth issues I was having with SMTP and Legacy printers.

    ReplyDelete
  5. Great article.
    I am managing this project in my organization, and we have a lot of users that are still on the Basic auth, I did an export of all those users and want to move them to the modern Auth, so we decided to do that by batches of 500 users by Batch (Total is 20K users) any commandlet to set their authenticationpolicy to (Block Basic Auth) using Import-csv Path XXXX Forech Set-users etc.. ?
    Thanks in advance.

    ReplyDelete
  6. Thnx mate in 2022 stil working like charm

    ReplyDelete
  7. Bedankt man werkte goed :)

    ReplyDelete