Exchange- turn off basic authentication hidden legacy services

Turning off Basic authentication in the Microsoft 365 admin center does not turn off two legacy services.

  • AllowBasicAuthOutlookService 
  • AllowBasicAuthReportingWebServices

These two settings can only be turned off via Exchange Online PowerShell.

Note : Allthough we can block these via conditional access it’s the best to turn off all protocols we don’t use.
 Conditional access works with post-authentication.  This still allows for password spray and credential validation.

If not allready done,, you need the Exchange online management powershell module. To install this module use the command :

Install-Module ExchangeOnlineManagement 

Connect-ExchangeOnline 

To check the Authenticationpolicy

Get-AuthenticationPolicy

The following command disables these two policies for only new mailboxes that you’ll create, but not existing mailboxes. 
This depends on the configuration per user or per mailbox. The best way to go is to set a global config.

Set-AuthenticationPolicy -Identity "BlockBasic637635815395381879 " -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthOutlookService:$false

to apply the policy to all existing mailboxes, replace <Name> value with the actual policy name: 

$mbx = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited $mbx | foreach {Set-User -Identity $_.ExchangeObjectID.tostring() -AuthenticationPolicy BlockBasic637635815395381879}

But a better way to go is to ensure that the users authentication policy is set to $null and set the global default authentication policy with 

Set-OrganizationConfig -DefaultAuthenticationPolicy <authentication policy name> 

In this way the policy impacts all users all the time and not just mailboxes.

To check what policy is applied to a mailbox or user run the following command : 

# get authentication policy for a mailbox
Get-Mailbox -Identity <mailbox > | Select-Object DefaultAuthenticationPolicy 

# get authentication policy for a user
Get-user <user> | Select-Object DefaultAuthenticationPolicy  
get-user | ft Name, Auth*

If the field is empty, 

this means that the tenant-wide default policy is applied. You can check which is the default one via:

Get-OrganizationConfig | select -ExpandProperty DefaultAuthenticationPolicy

Leave a Reply

Your email address will not be published. Required fields are marked *