erik_r
asked on
Office 365 tenant still set to basic auth - ramifications of enabling modern auth, but not yet disabling basic auth.
Hello. Our O365 tenant still uses basic authentication. In searching in Azure AD, all the clients are using basic authentication. We are using Outlook 2016, so modern authentication is not an issue.
My question is whether enabling modern authentication, but not yet disabling basic authentication will cause users to have to sign in again using the modern authentication login screen or any kind of "re-login" to the default mail client on their iPhones?
Normally this would not be a concern, however, with the recent increase in phishing attempts via email, we have drilled it into our users' heads to never enter their password to read an email attachment, etc... One could imagine how this could confuse them.
It would like to start creating some authentication policies in O365 blocking basic authentication for some test users.
We do not use any form of SSO.
Thank you.
My question is whether enabling modern authentication, but not yet disabling basic authentication will cause users to have to sign in again using the modern authentication login screen or any kind of "re-login" to the default mail client on their iPhones?
Normally this would not be a concern, however, with the recent increase in phishing attempts via email, we have drilled it into our users' heads to never enter their password to read an email attachment, etc... One could imagine how this could confuse them.
It would like to start creating some authentication policies in O365 blocking basic authentication for some test users.
We do not use any form of SSO.
Thank you.
enabling modern authentication will not prompt for reauth but disable basic authentication will.
activesync is basic authentication so MFA will not protect it.
Strongly recommend moving forward to use Outlook apps instead the native apps
activesync is basic authentication so MFA will not protect it.
Strongly recommend moving forward to use Outlook apps instead the native apps
ASKER
Good morning all,
We don't use Azure AD Premium I or II, so I believe I cannot customize the login screen for my users.
I've seen both scenarios described by other tenants and can't get a definitive answer. Some say enabling modern authentication did not "force" the users to login again to Outlook/Skype until basic authentication was disabled.
Others state that as soon as modern authentication was enabled, all users were forced to re-authenticate using the modern authentication login window.
Thank you,
We don't use Azure AD Premium I or II, so I believe I cannot customize the login screen for my users.
I've seen both scenarios described by other tenants and can't get a definitive answer. Some say enabling modern authentication did not "force" the users to login again to Outlook/Skype until basic authentication was disabled.
Others state that as soon as modern authentication was enabled, all users were forced to re-authenticate using the modern authentication login window.
Thank you,
Login page customization is included for free for O365 subscribers. As for the login question, it will depend on the app, the way it caches credentials, the policies in place, etc.
ASKER
For example, a typical Outlook 2016 client that currently uses basic authentication. The credentials are cached on the user's computer and SSO is not used.
Modern authentication is then enabled and basic authentication stays on (settings untouched).
What happens to John Q. User's computer if this is done while Outlook is currently open?
What happens if Outlook is not open and then JQU opens Outlook?
Modern authentication is then enabled and basic authentication stays on (settings untouched).
What happens to John Q. User's computer if this is done while Outlook is currently open?
What happens if Outlook is not open and then JQU opens Outlook?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It should not be a big deal however, since MA prompts allow you to customize parts of the login screen, where you can put your logo, additional text, etc. And whatever inconveniences it cases, it outweighs the downsides of still using basic auth. Just make sure to inform your users accordingly.