Sign-in reports show everything still on Basic Auth but everything looks OK in config and in clients.

TRF-Azure 1 Reputation point

I had originally posted this to the Office 365 community but it was suggested I post it here.

Pretty lightweight environment here. Basically just use Office 365 Standard licenses for apps and exchange online. Not really using Azure services for anything and I don't have a lot of interconnected systems. So the basic auth shutdown wasn't really at the forefront of my mind. Everything fits the requirements: All clients are 2016 or newer, all mobile devices are new iPhones or new Pixel phones.

I ran sign in logs from the Azure portal and if I'm interpreting them correctly, everything is still using basic auth. Specifically exchange activesync (phones using native client I bet) and Exchange Web Services (Outlook clients? Useragent is showing up as web browsers for these, so perhaps OWA, but why would that still use basic auth?)

When I switch the sign in log to show only Modern authentications (mobile and desktop clients) there are no results.

Researched this some. iPhones should be able to switch to Modern Auth automatically. I don't have any Outlook clients older than 2016 which should all be using Modern Auth on by default. Checked some user machines' Outlook Connect Status windows. The Authn column reads "Bearer" which is the sign you're on Modern Auth... so why is everything in the sign in logs still showing legacy auth?

Last week I created a report-only conditional access rule in Azure for all users which should block any Basic Auth attempts and checked the results. So far everything comes back as "Not applied". I'm pretty confused.

I'm thinking about signing a few users out in the Office 365 admin portal for a couple people just to see if their fresh login appears in the modern auth log.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,173 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,459 questions
{count} votes

2 answers

Sort by: Most helpful
  1. KyleXu-MSFT 26,206 Reputation points


    Did yo try to delete profile and configure a new one? Deprecation of Basic authentication in Exchange Online

    Here are information about Block legacy authentication with Azure AD with Conditional Access.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. TRF-Azure 1 Reputation point

    Hi Kyle,
    I did not find that article. Thank you for the information. I will try it.

    Do you have any thoughts on web browsers using basic auth? This comes from a log: I asked these users if they were connecting to OOTW or using and only the Mac user said yes: