Link to home
Start Free TrialLog in
Avatar of erik_r
erik_r

asked on

Office 365 tenant still set to basic auth - ramifications of enabling modern auth, but not yet disabling basic auth.

Hello.  Our O365 tenant still uses basic authentication.  In searching in Azure AD, all the clients are using basic authentication.  We are using Outlook 2016, so modern authentication is not an issue.

My question is whether enabling modern authentication, but not yet disabling basic authentication will cause users to have to sign in again using the modern authentication login screen or any kind of "re-login" to the default mail client on their iPhones?

Normally this would not be a concern, however, with the recent increase in phishing attempts via email, we have drilled it into our users' heads to never enter their password to read an email attachment, etc...  One could imagine how this could confuse them.

It would like to start creating some authentication policies in O365 blocking basic authentication for some test users.

We do not use any form of SSO.

Thank you.
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Enabling Modern auth does not automatically disable basic auth and older client will not see any change in behavior. Clients that are coded with MA in mind will either auto-switch to using MA (so users will see a new login prompt) or will have to be reconfigured. While one of the promises of MA was consistent behavior across all clients, this only pertains to Microsoft's own products, and even there some oddities can be observed.

It should not be a big deal however, since MA prompts allow you to customize parts of the login screen, where you can put your logo, additional text, etc. And whatever inconveniences it cases, it outweighs the downsides of still using basic auth. Just make sure to inform your users accordingly.
enabling modern authentication will not prompt for reauth but disable basic authentication will.
activesync is basic authentication so MFA will not protect it.
Strongly recommend moving forward to use Outlook apps instead the native apps


Avatar of erik_r
erik_r

ASKER

Good morning all,

We don't use Azure AD Premium I or II, so I believe I cannot customize the login screen for my users.

I've seen both scenarios described by other tenants and can't get a definitive answer.  Some say enabling modern authentication did not "force" the users to login again to Outlook/Skype until basic authentication was disabled.

Others state that as soon as modern authentication was enabled, all users were forced to re-authenticate using the modern authentication login window.

Thank you,
Login page customization is included for free for O365 subscribers. As for the login question, it will depend on the app, the way it caches credentials, the policies in place, etc.
Avatar of erik_r

ASKER

For example, a typical Outlook 2016 client that currently uses basic authentication.  The credentials are cached on the user's computer and SSO is not used.

Modern authentication is then enabled and basic authentication stays on (settings untouched).

What happens to John Q. User's computer if this is done while Outlook is currently open?

What happens if Outlook is not open and then JQU opens Outlook?
ASKER CERTIFIED SOLUTION
Avatar of erik_r
erik_r

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial