Microsoft recently made some updates surrounding their plans to turn off basic auth in all tenants. The following article describes the recent updates:
Basic Authentication and Exchange Online – September 2021 Update – Microsoft Tech Community
Highlights
- Scope includes Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH and OAB.
- Effective October 1, 2022, Microsoft will begin to permanently disable Basic Auth in all tenants, regardless of usage (with the exception of SMTP Auth, which can still be re-enabled after that).
- **MOST CONCERNING** Beginning early 2022, Microsoft will selectively pick tenants and disable Basic Auth for all affected protocols except SMTP AUTH for a period of 12-48 hours.
- You can request that specific protocols not be turned off on a per tenant basis (instructions in article above)
Recommended Actions
- Identify basic auth within your customer tenants. Leverage the multitenant reporting scripts I provide below
- SMTP Auth
- While Microsoft is not turning this off at a tenant level until Oct 2022, I would still start making some changes to avoid disruption
- You can disable SMTP auth at the tenant level, and re-enable on a per-user/account level as described here.
- For your copiers or printers look for options 2 or 3 outlined here: How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 | Microsoft Docs
- Powershell can also be used to see if SMTP auth is enabled or disabled at a tenant level: Enable or disable SMTP AUTH | Microsoft Docs
- Make sure you compensate for any type of ticketing system that may be using IMAP as well.
Automated Reporting
I recently created a new repository on GitHub which was created to help support MSPs in reporting basic authentication across customers under management.
Prerequisites
You will need to garner tokens and GUIDs from both the Secure Application Model. The secure application model allows for a headless connection into all of your customer environments. The script to run that can be found from Kelvin over at CyberDrain. Click here to go to that page in Github.
Audit_Log_Activity.ps1
Ensure your app registration has the following permission> Microsoft Graph => Auditlog.Read.All (Delegated)
This script looks for basic auth sign-ins for each customer and presents them to you on the screen
A CSV is generated which list all basic auth sign ins present across all customers.
Get_basicAuth_settings.ps1
This script grabs all authentication settings within a tenant. In the UI, many of these settings can be seeing from Settings>Org Settings>Modern Authentication
SMTP_auth_disabled.ps1
SMTP auth is usually more popular because of things like copiers and printers that a company may be using. SMTP auth can be enabled or disabled at both a tenant level and at a user level. Its possible to have SMTP auth turned off at a tenant level but have it enabled at a user level. This script is just looking to see if SMTP auth is enabled at a tenant level for each company and reporting on that in a CSV.
