We help IT Professionals succeed at work.

Basic to Modern Auth

108 Views
Last Modified: 2020-07-20
Hi all,

My Office 365 tenant is on Basic Auth. I know that MS have extended date for EOL for Basic Auth but we have internally entered into the planning stage for the move to Modern Auth.

My question is if there is a way we can convert only few users for testing ? I only saw an org wide powershell cmdlet for the switch. We are currently using Outlook 2016 clients and native iOS mail apps using ActiveSync with MFA. We will need to test the experience out and take numerous screenshots of the process to create instructions for our end users.

Thank you
Comment
Watch Question

REITSenior Cloud and Infrastructure Engineer
CERTIFIED EXPERT

Commented:
So by enabling Modern Authentication, you're not actually disabling Basic Auth. I would advise enabling Modern Auth for your O365 Tenant and then setup a few clients to use Modern Auth instead of Basic.
Jian An LimSolutions Architect
CERTIFIED EXPERT
Top Expert 2016

Commented:
end user won't notice the changes unless they have older outlook that rely on RPC over HTTPS only. 

just enable it for the full tenant will be fine

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online 
Exchange UserSystems Administrator

Author

Commented:
Thank you for your replies. Sorry about the delays as I was away.

So if I enable Modern Auth from powershell which will be an organizational configuration change, will it start asking users who are still connected using Basic Auth to reconnect to their respective mail clients by using Modern Auth ? I am just trying to understand what will be the impact on end user level if we enable this setting. 
Solutions Architect
CERTIFIED EXPERT
Top Expert 2016
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
I'm interested in this too.  I have found this:
https://o365reports.com/2019/09/25/basic-authentication-exchange-online/#Basic_Authentication_Report 
however, with 13 Legacy apps that are said to use Basic Authentication, such as Airwatch Boxer via ActiveSync, would this stop working once we enable Modern Authentication?

Rob.
REITSenior Cloud and Infrastructure Engineer
CERTIFIED EXPERT

Commented:
Those apps would only stop working once you have disabled Basic Auth, they wouldn't stop working just by enablong Modern Auth
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
Thanks. Forgive me for hijacking this thread, but I think our concerns are the same.  The point of wanting to know more information about what is currently using basic auth is so that we can determine any impact when basic authentication is retired. I have found this article:

Disable Basic authentication in Exchange Online

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online 

It says we can run PowerShell commands to confirm whether Basic Authentication is enabled in our authentication policies, under this section

How do you know that you've successfully disabled Basic authentication in Exchange Online?


There is also a section called 

Filter on-premises Active Directory user accounts that are synchronized to Exchange Online

that states "This method allows you to disable legacy protocols for specific groups without affecting the entire organization." so I think that would be worth looking at.

Ideally though, as a first step, we'd like to have an accurate report that shows which connections are currently using Basic Authentication, so we can spot test them.

@REIT, when you say "Those apps would only stop working once you have disabled Basic Auth", a report would help in understanding the environment and getting ahead of those pitfalls before the retirement date on October 13, 2020.  Do you know of a report that can assist?

Thanks,

Rob.
Exchange UserSystems Administrator

Author

Commented:
To add to Rob’s comment, the date has been postponed until early 2021 due to COVID-19
REITSenior Cloud and Infrastructure Engineer
CERTIFIED EXPERT

Commented:
Ok, so there's two way to find out if disabling basic auth will cause you any issues

1. Create and configure a Conditional Access policy to block basic auth, but only set it to 'Report Only', you can then generate a report of the authentications it would've blocked - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication 
2. If you go to Azure AD > Workbooks > Select 'Sign-ins using Legacy Authentication'
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
Thanks REIT.  Along with the very helpful article you posted, I found this article to set up a policy to report on "Block Legacy Authentication":
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy 
so I'll set that up and view the reports.
In terms of the Azure AD Workbook, we don't have an Azure subscription that entitles us to use Azure Monitor, so I won't worry about that one.

Rob.
CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2014

Commented:
Hi REIT, I've created the Report Only conditional access policy.  Now when I view a recenty Sign In in Azure AD > Monitoring > Sign Ins, I see on the Report Only tab that for the following critera:
Application type: Office365 Exchange Online
Client App: MAPI over HTTP
Browser: Microsoft Office 16.0

the result is Report only: Failure

Am I right in saying that Office 2016 is not using modern authentication then, but only because we haven't enabled it yet ?

In seeing this, maybe it's better (as you already said at the beginning) to turn on Modern Authentication so that applicatoins *can* make use of it, not turn off Basic Authentication, and then monitor these sign in results in order to migrate left over things to Modern Authentication.

I think we'll just go ahead and tick the box in the Modern Authentication service here:
https://admin.microsoft.com/Adminportal/Home#/Settings/ServicesAndAddIns

and monitor it from there.

Rob.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.