This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
People,
Based on https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210
The Basic Authentication can be enabled before January 2023.
However, after executing the PowerShell script below, it is still not working.
From: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#step-2-assign-the-authentication-policy-to-users
$PolicyName = 'Temp. policy basic auth.'
New-AuthenticationPolicy -Name $PolicyName -AllowBasicAuthReportingWebServices -AllowBasicAuthWebServices -AllowBasicAuthActiveSync
$paramSetUser = @{
Identity = ’Name of the shared mailbox'
AuthenticationPolicy = $PolicyName
StsRefreshTokensValidFrom = $([System.DateTime]::UtcNow)
}
Set-User @paramSetUser
How to fix the issue above, so only a few selected mailboxes is using Basic Authentication, not the entire Tenant is exposed.
PS C:\WINDOWS\system32\WindowsPowerShell\v1.0> Get-OrganizationConfig | Format-Table DefaultAuthenticationPolicy
DefaultAuthenticationPolicy
---------------------------
PS C:\WINDOWS\system32\WindowsPowerShell\v1.0> Get-AuthenticationPolicy | Select-Object *Allow*
AllowBasicAuthActiveSync : True
AllowBasicAuthAutodiscover : False
AllowBasicAuthImap : False
AllowBasicAuthMapi : False
AllowBasicAuthOfflineAddressBook : False
AllowBasicAuthOutlookService : True
AllowBasicAuthPop : False
AllowBasicAuthReportingWebServices : True
AllowBasicAuthRest : False
AllowBasicAuthRpc : False
AllowBasicAuthSmtp : False
AllowBasicAuthWebServices : True
AllowBasicAuthPowershell : False
Thanks in advance.
@EnterpriseArchitect
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer to help more people.
@KyleXu-MSFT , OK, so how do I manually close the Bais Authentication tenant-wide manually?
for the entire tenant or just a group of users?
@Andy David - MVP , for the entire Tenant.
You can disable basic auth for the entire tenant here:
Uncheck any boxes that are still checked:
Enable it for just the protocol needed if its still allowed to opt-out, then apply an authorization policy to block basic auth for per users, yes. Do not apply to the users that need basic auth.
But not sure if they will still allow an exception, so you will need to follow that doc and see if its possible.
Thanks , @Andy David - MVP
Follow this: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-june-2021-update/bc-p/2599824#M31057
and enable the tenant for Basic Auth powershell
Then Block it for everyone but the required users using an authentication policy
Hi @Andy David - MVP , thank you for the reply,
Which steps to follow and which script to execute please ?
Did you already request an opt-out? It may not be available any longer:
Check from that article
If you still can: follow:
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#step-1-create-the-authentication-policy
OK, so if I enable that Basic Auth for each of the protocols, does it mean it is tenant-wide?
and then I can use the PowerShell script I posted initially to create the new customs policy, which I must apply per mailbox one by one as required.
