Intro
This post came about after trying to disable legacy authentication for a customer. I know little-to-nothing about M365, other than that I want rid their tenant of legacy authentication.
So take this post for what it is; a dive down the rabbit hole. Hopefully you will learn something from it as well.
Why deactivate legacy authentication
The primary reason is legacy authentication not supporting MFA, leaving the doors wide open for password spray, credential stuffing or phished accounts to get in.
Note: As MFA kicks in _after_ successful authentication, the account is still suseptible to password spraying. See section on Password Spray
Also: In 2022 Microsoft is disabling BasicAuth on all tentants, regardless of usage.
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online
BasicAuth v Protocol Support – Important distinction
Setting out on this journey, I believed “legacy protocols, such as imap only supports Basic Authentication and therefor can’t use MFA and they can be turned off either at tenant or mailbox level”.
I was mistaken and much of my confusion on the topic stems from this misbelief. So let’s start with that:
Most legacy protocols also support modern authentication – but the application developer (Be it one of an email client, helpdesk-system with mail functionality, whatever) need to update their applications to reflect this.
Microsoft has since 2019/2020 supported the use of modern authentication and oauth-tokens on POP, SMTP, IMAP & EAS.
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-support-for-pop-in-exchange-online/ba-p/1406600
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-2-0-support-for-imap-and-smtp-auth-protocols-in/ba-p/1330432
https://docs.microsoft.com/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
We can see that ActiveSync has supported tokenbased authentication as far back as at least February 2019.
[MS-ASHTTP]: Exchange ActiveSync: HTTP Protocol – 2.2.1.1.2.2 Authorization
Token based authentication – process overview
For reference, the oauth process for obtains tokens functions in this manner
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Block point
After disabling legacy authentication, there won’t be any log entries in AAD as Microsoft blocks requests at the ingress point.
So repeated attempts at hammering endpoints using disabled protocols won’t affect any lockout mechanism.
This also means that Microsoft leaves us in the blind when it comes to these endpoints, both for troubleshooting purposes and for detecting password sprays, brute force-attacks and the like that utilize basic authentication.
Protocols overview
If we have a look at the default authentication policy in Exchange, we find a tad more than the five usual suspects (imap, mapi, pop, smtp & ActiveSync).
The list is also reflected in Conditional Access under “Legacy authentication clients”.
The full list of protocols not supporting modern authentication is as follows:
| Authenticated SMTP | Used by POP and IMAP client’s to send email messages. |
| Autodiscover | Used by Outlook and EAS clients to find and connect to mailboxes, EWS endpoints, Web services, MAPI and RPC over HTTP |
| Exchange Online PowerShell | Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. |
| Exchange Web Services (EWS) | A programming interface that’s used by Outlook, Outlook for Mac, and third party apps. Useful for creating custom applications with need for access. Microsoft Teams does also use this endpoint to retrieve users calendars. |
| IMAP4 | Used by IMAP email clients. |
| MAPI over HTTP (MAPI/HTTP) | Used by Outlook 2010 and later. |
| Offline Address Book (OAB) | A copy of address list collections that are downloaded and used by Outlook. |
| Outlook Anywhere (RPC over HTTP) | Used by Outlook 2016 and earlier. |
| Outlook Service | Used by the Mail and Calendar app for Windows 10. |
| POP3 | Used by POP email clients. |
| Reporting Web Services | Used to retrieve report data in Exchange Online. |
| ActiveSync | Exchange ActiveSync is a Microsoft Exchange synchronization protocol |
| Rest | This is an undocumented remnant of the Outlook REST v1.0 API that was decommisioned in November 2019. Basic authentication was turned off for this API 01nov2018. [3] |
https://docs.microsoft.com/en-gb/azure/active-directory/conditional-access/concept-conditional-access-conditions#c6Cient-apps
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online
[3] https://github.com/MicrosoftDocs/OfficeDocs-Exchange/issues/1561
EWS
While not entirely on topic, the following screenshot from the Microsoft documentation depict both Basic auth of SSL and Oauth authorization available for the EWS.
EWS could be your own mail application, an integrated module in a helpdesk-system, whatever really.
As noted above; Microsoft Teams also uses EWS to pull users calendars.
Reporting & Outlook Service
I’d also like to make a few notes about Reporting as turning off basic auth for this point isn’t done through the GUI.
Reporting seem be yield 401 in my tests and it might be down to permissions as many results require at least the Service Administrator role, but I am not sure. It is in any case used to pull reports of different kinds.
https://docs.microsoft.com/en-us/exchange/monitoring/monitoring
https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/reports
https://docs.microsoft.com/en-us/exchange/monitoring/use-mail-protection-reports
Outlook Service
There is very little, if any, information about this setting, apart from the fact it is used for the Windows 10 native “Mail and calendar” app.
It might be tied into quicker search functionality for EAS-clients, but this is merely speculations on my part.
Mailbox settings not directly related to legacy auth
Having a look at the CAS-settings for a mailbox and we also find switches for ECP and OWA.
The access to ECP is only possible on onprem Exchange installations according to the documentation. Trying it in Exchange Online gives off an error:
You can also turn off access to webmail using the OWAEnabled switch which gives the following result:
Deactivation of basic authentication
Overview over where to turn of authentication/features
| Legacy Auth | Organizational Auth policy | CASmailbox | CASmailboxPlan | Block using AAD CA | set-casmailbox* parameter | Set-AuthenticationPolicy parameters |
| Authenticated SMTP | Yes | Yes | Yes – Other Clients | -SmtpClientAuthenticationDisabled | AllowBasicAuthSmtp | |
| Autodiscover | Yes | Yes – Other Clients | -MAPIBlockOutlookExternalConnectivity | AllowBasicAuthAutodiscover | ||
| Exchange Online PowerShell | Yes | Yes – Other Clients | AllowBasicAuthPowerShell | |||
| Exchange Web Services (EWS) | Yes | Yes | Yes – Other Clients | -EwsEnabled | AllowBasicAuthWebServices | |
| IMAP4 | Yes | Yes | Yes | Yes – Other Clients | -ImapEnabled | AllowBasicAuthImap |
| MAPI over HTTP (MAPI/HTTP) | Yes | Onprem | Yes – Other Clients | -MapiHttpEnabled | AllowBasicAuthMapi | |
| Offline Address Book (OAB) | Yes | Yes – Other Clients | AllowBasicAuthOfflineAddressBook | |||
| Outlook Anywhere (RPC over HTTP) | Yes | Onprem | Yes – Other Clients | -MAPIBlockOutlookExternalConnectivity | AllowBasicAuthRpc | |
| Outlook Service | Yes | Yes | Yes – Other Clients | -UniversalOutlookEnabled | AllowBasicAuthOutlookService | |
| POP3 | Yes | Yes | Yes | Yes – Other Clients | -PopEnabled | AllowBasicAuthPop |
| Reporting Web Services | Yes | Yes – Other Clients | AllowBasicAuthReportingWebServices | |||
| ActiveSync | Yes | Yes | Yes | Yes – Exchange ActiveSync Clients | -ActiveSyncEnabled | AllowBasicAuthActiveSync |
| Rest | n/a | n/a | n/a | n/a | AllowBasicAuthRest |
GUI – Security defaults
If the tenant is created after 2019, security default is enabled by default, which means basic authentication should also already be deactivated.
Security defaults are as follows:
GUI – turn off basic authentication protocols
Turning off basic in the “Modern Authentication” part of the Azure AD, partly does the job.
This will turn off most of the basicauthprotocols, but not all as you shall see shortly.
PowerShell – tenant level
After turning it off GUI, you’ll find that “AllowBasicAuthOutlookService” and “AllowBasicAuthReportingWebServices” still remains enabled.
Connect-exchangeonline
Get-OrganizationConfig | select defaultauthenticationpolicy
Get-AuthenticationPolicy -Identity BlockBasic637703142645534267
As previously mentioned, one seem to be regulated by administrator roles and the other one is more or less undocumented, but one should turn off these two protocols anyway. Use the following command:
Get-AuthenticationPolicy -Identity BlockBasic637703142645534267 | Set-AuthenticationPolicy -AllowBasicAuthReportingWebServices:$false -AllowBasicAuthOutlookService:$falsePowerShell – mailbox and mailboxplans level
What is important to understand at this level, is that we are turning off the protocols entirely – not just basic authentication.
So if for instance you need an account with BasicAuth and ActiveSync for some reason, you’d have to enable Basic Auth for ActiveSync for the entire tenant, turn off the ActiveSync-protocol for all other mailboxes than the one using ActiveSync.
Set-casmailbox -identity $target -ImapEnabled $false -PopEnabled $false -ActiveSyncEnabled $false -UniversalOutlookEnabled $false -SmtpClientAuthenticationDisabled $true -EwsEnabled $false
Get-casMailboxplan -ResultSize Unlimited | select Name,GUID,ImapEnabled,PopEnabled,ActiveSyncEnabled
Get-casMailboxplan -ResultSize Unlimited |set-casmailboxplan -ImapEnabled:$false -PopEnabled:$false -ActiveSyncEnabled:$trueNote: Remember from the table above, the universaloutlook can not be disabled on a casmailboxplan level, so we don’t set that in the casmailboxplans.
Mapi & EWSenabled and mailbox plans
You might get an error stating
The operation on Identity “Username” failed because it’s out of the current user’s write scope. License validation error: the action ‘Set-CASMaiIbox’ , ‘EwsEnabIed’ can ‘t be performed on the user ‘Username’ with license ‘BPOS_S_Deskless’
Checking the mailboxplan of this user provides some answers to why: The Deskless, or Exhcange Online Kiosk, do not support EWS or IMAP as shown below.
https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description?redirectedfrom=MSDN
https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-user-mailboxes/mailbox-plans
https://thibaultchatiron.fr/2020/10/22/problem-with-mail-native-apps-with-modern-auth-exchange-activesync-disabled-azure-ad-mfa/
Native Samsung e-mail and Apple E-mail applications – Do they need ActiveSync activated?
Yes. You can disable basic authentication, but you need to let the ActiveSync stay enabled on the mailbox.
What happens to my Exchange PowerShell scripts
Unattended scripts using basic auth will obviously stop working and must be swapped out for certificate based auth.
https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387
https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
Password spray
As a curiousity, I did a test with a spraying utility to see how it would manifest itself in the sign-in logs.
As shown below, the users password has been successfully guessed. This is due to the fact, that MFA is triggered after entering correct credentials.
The Sign-in logs also shows that the authentication failed on account that the user has to perform MFA. An attacker then knows he has the correct username and password to re-use at whatever service that exist without MFA.
