Enabling Basic Authentication temporarily only for a few selected mailboxes. not the whole tenant?

EnterpriseArchitect 4,871 Reputation points
2022-10-14T06:58:17.797+00:00

People,

Based on https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210
The Basic Authentication can be enabled before January 2023.

However, after executing the PowerShell script below, it is still not working.
From: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#step-2-assign-the-authentication-policy-to-users

$PolicyName = 'Temp. policy basic auth.'  
   
New-AuthenticationPolicy -Name $PolicyName -AllowBasicAuthReportingWebServices -AllowBasicAuthWebServices -AllowBasicAuthActiveSync  
   
$paramSetUser = @{  
    Identity                  = ’Name of the shared mailbox'   
    AuthenticationPolicy      = $PolicyName   
    StsRefreshTokensValidFrom = $([System.DateTime]::UtcNow)  
}  
   
Set-User @paramSetUser   

How to fix the issue above, so only a few selected mailboxes is using Basic Authentication, not the entire Tenant is exposed.

PS C:\WINDOWS\system32\WindowsPowerShell\v1.0> Get-OrganizationConfig | Format-Table DefaultAuthenticationPolicy  
   
DefaultAuthenticationPolicy  
---------------------------  
                             
  
   
PS C:\WINDOWS\system32\WindowsPowerShell\v1.0> Get-AuthenticationPolicy | Select-Object *Allow*  
   
   
AllowBasicAuthActiveSync           : True  
AllowBasicAuthAutodiscover         : False  
AllowBasicAuthImap                 : False  
AllowBasicAuthMapi                 : False  
AllowBasicAuthOfflineAddressBook   : False  
AllowBasicAuthOutlookService       : True  
AllowBasicAuthPop                  : False  
AllowBasicAuthReportingWebServices : True  
AllowBasicAuthRest                 : False  
AllowBasicAuthRpc                  : False  
AllowBasicAuthSmtp                 : False  
AllowBasicAuthWebServices          : True  
AllowBasicAuthPowershell           : False   

Thanks in advance.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,246 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,391 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,915 questions
{count} votes

Accepted answer
  1. Andy David - MVP 142.7K Reputation points MVP
    2022-10-14T13:24:12.337+00:00

    Enable it for just the protocol needed if its still allowed to opt-out, then apply an authorization policy to block basic auth for per users, yes. Do not apply to the users that need basic auth.
    But not sure if they will still allow an exception, so you will need to follow that doc and see if its possible.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 142.7K Reputation points MVP
    2022-10-14T11:44:15.887+00:00

    Follow this: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-june-2021-update/bc-p/2599824#M31057
    and enable the tenant for Basic Auth powershell

    Then Block it for everyone but the required users using an authentication policy

    1 person found this answer helpful.

  2. Andy David - MVP 142.7K Reputation points MVP
    2022-10-14T13:09:14.44+00:00