Simple Microsoft 365 Exchange with MFA and no Azure??? Necessary or Not? Also how-to . . . ?

Question

Hi, we have a very small LAN with four clients and five Microsoft 365 Exchange Online email subscriptions (with our own domain). This seems to be a sort-of-affordable, better synchronization than IMAP and VERY reliable email setup for our family. Also, multi-factor authentication is set up as much as possible.

QUESTION: Is there an easy recipe to set up MFA for desktop Outlook client authentication based on "Modern Authentication"?

SUB-QUESTIONS:

a) How can we tell if we are still using Exchange "Basic Authentication" for desktop Outlook clients?
b) Are our Desktop Outlook Exchange clients at risk of being disconnected if we don't move to "Modern Authentication"?
c) So -- do we even need to do anything, at least from Microsoft's perspective?
d) Should this question be reworded in a different way?

CONTEXT: The messaging around Exchange turning off support for "basic authentication" seems to suggest that we could be in danger of having our clients locked out.

CONCERN: The messaging always says "modern authentication" is based on Azure. Our system works well, but admin overhead is always a concern. It's probably a non-starter to add Azure to the mix.

CURRENT SITUATION: All our Exchange Online emails have MFA implemented, but not via Azure (e.g. SMS, backup email email, authenticator app etc.). Not sure though about the the automatic connection between Outlook desktop client and Exchange in the cloud. Is what is described here "Basic Authentication"?

RESEARCH: Reading quite a few "how tos" does not provide the answers we need -- because one is overwhelmed with great articles on more sophisticated environments.

GOAL: To continue to use -- and to validate that -- Exchange Online is a viable solution for very small and fairly simple group email and calendaring etc. deployments.

STRATEGY: The strategy here is (a) be safe and use good 2FA or MFA, (b) ensure that we are properly using Microsoft Exchange online services, but (c) don't take on more overhead than necessary.

SKILLS: We use the Exchange Admin Center UI, and have used Powershell once (to set SendFromAliasEnabled $True) to enable sending from account email aliases. (This topic was successfully answered in this Forum -- see https://learn.microsoft.com/en-us/answers/questions/617421/detailed-script-for-newbies-exchange-online-sendfr.html if interested.)

AUDIENCE: A good answer to this post will be helpful for what we believe are a large population of Microsoft 365 Exchange Online customers that are also very small customers! This is a group of people that want more privacy than offered by "free emails", and also more reliability and features and professionalism. At the same time, they are not full-time systems administrators and never will be.

Thanks so much for any guidance! If this question needs to be improved to be a better question, please explain.

A good day.

John

Answer 1

Hi @John Morris ,

According to the official documentation below, by default, all Microsoft 365 plans can at least use "Security Defaults" to enable MFA for Microsoft 365 and Office 365.
Multifactor authentication for Microsoft 365
Security defaults needs to be enabled from the Properties pane for Azure Active Directory (Azure AD) in the Azure portal, so this indeed involves Azure, but as long as you have a paid subscription to Microsoft 365, you also have a free Azure AD subscription which can use security defaults, thus this won't lead to additional purchase. More details about setting up multifactor authentication in an organization can be found in: Set up multifactor authentication.

a) How can we tell if we are still using Exchange "Basic Authentication" for desktop Outlook clients?

This can be told by checking the “Authn” column of the Outlook Connection Status :

1. Hold down CTRL and right-click the Outlook icon in your system tray.
2. Choose "Connection Status", check the “Authn” column.
3. If it shows “Bearer*”, it means Modern Authentication is being used. (When using Basic Auth, the Outlook Connection Status “Authn” column shows “Clear*”)
   

b) Are our Desktop Outlook Exchange clients at risk of being disconnected if we don't move to "Modern Authentication"?

Yes. Effective October 1, 2022, Basic Auth will begin to be permanently disabled in all tenants, regardless of usage, and if by that time all clients and apps that still use Basic Auth will be affected, and they will be unable to connect.

c) So -- do we even need to do anything, at least from Microsoft's perspective?

Modern authentication is enabled by default in Exchange Online for new Microsoft 365 tenants. To verify this, you can run the command below:

When it comes to the Outlook desktop clients, if you are using Outlook 2016 or newer versions(Outlook 2016, 2019, 2021, 365), modern authentication is enabled by default so no additional configuration is needed. Outlook 2013 will need a registry key change to use Modern Auth.

d) Should this question be reworded in a different way?

Should I have misunderstood anything in my reply earlier or if you have further questions or concerns about this thread, feel free to post back.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

YukiSun -- super thanks for a deep and very relevant answer. I have work to do. Some comments:

1. We have a "free sub" to Azure. I'm assuming this will remain in place. Exchange is now promoted for very small groups and even families! NO families are ever going to administer Azure. Let's assume the free sub for Azure will continue -- that's good news.
2. I looked at our current Outlook client authentication status -- per your instructions -- and it is CLEAR. Which needs to be fixed. We understand why this is important. AND we have until about October 2022 to figure out Powershell to fix this.
3. This is all very much about product management and marketing support for a broader -- not IT-oriented -- market. We had to learn Powershell in order to turn on outbound email alias support -- which is a nice feature. A check box in the Exchange Admi would have been a better idea.
4. Similarly, a GUI management interface for managing authentication would be better.

Any, I really appreciate the substantial info you shared, which points the way. I have the feeling that there will be a VERY large number of smaller Microsoft customers, on Exchange, who will need to do this. For me -- it was a "OMG-is-this-true?" moment. I can across it accidentally. Surprises are not a good idea.

A great day, and a great 2022.

Thanks again.

John

P.S. I will leave this question open for now so I can report our progress. Will take a little time.