Basic Auth Authentication through token

Nikita Krivets 486 Reputation points
2020-04-15T10:31:27.867+00:00

Hello,

I have disabled BasicAuth on my tenant. I also have enabled Security Defaults with MFA enforcement.
When I perform Get-OrganizationConfig | fl DefaultAuthenticationPolicy cmdlet and check the policy, all properties regarding basic auth are set to false.

I have acquired an access token for https://outlook.office365.com resource.
Now I am using this token to open a new Powershell session via old Powershell module.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.of fice365.com/powershell-liveid/?BasicAuthToOAuthConversion=true -Credential $credential -Authentication Basic -AllowRedirection

where $credential is my username along with the access token. It connects perfectly fine and I can invoke any cmdlet.

I cannot grasp why despite Basic Auth being disabled on my tenant, I still can establish a session with "-Authentication Basic". Does this access token approach act as a substitute for Basic Authentication in this case?

Thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,135 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 98,206 Reputation points MVP
    2020-04-15T10:46:33.17+00:00

    The PowerShell module is simply "proxying" the token you provided (and obtained via Modern auth beforehand) and using it to create the session. You will not be prompted for credentials so effectively, you are authenticating via modern auth, just the way the token is presented is a bit different. You can look at the properties of the session, such as the URI used (which uses and endpoint that indicates what's happening: /Powershell-LiveId?BasicAuthToOAuthConversion=true) and you can even confirm that the Credentials used do not contain any password, but use the token instead.

    If you have used AD FS with Exchange Online in the days before modern auth, something similar was done by Outlook and any other Exchange-releated client, with the Exchange Online server playing the role of a proxy.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful