Last October, Microsoft introduced the ability for Office 365 tenants to disable basic authentication for Exchange Online using protocol authentication policies. A recent tweet from Alex Weinart, a Group program manager on the Azure Active Directory team said that disabling basic auth reduces the account compromise rate by 67%. This is more than enough evidence for anyone running an Office 365 tenant to disable basic auth now.
Microsoft says that disabling basic auth reduces account compromise
Alex’s tweet also pointed to an interesting post called Discovering and Blocking Basic Auth that gave further evidence for the case against basic auth, especially for tenants who still support really old protocols like IMAP4 and POP3.
Why Do People Still Use Old Email Clients?
I don’t quite know why people still use IMAP4 and POP3 clients. Both protocols originate in the early days of email when the world and the internet were safer places and attackers didn’t seek to piggyback on top of protocols with brute-force and password spray attacks.
The simple fact is that more modern and safer email clients are available. Clients that support modern authentication include OWA for browsers and Outlook mobile for Android and iOS. People using Outlook for Windows should be forced to use modern authentication. Apart from personal choice (“I really like using the old Thunderbird client”), no good reason exists to support the use of old and insecure clients. The bottom line is that if you move people to safer clients, you can disable the IMAP4 and POP3 protocols completely to close a big fat hole in your tenant’s defenses.
Exchange Web Services
Although it can also use basic auth, Exchange Web Services (EWS) is in a different category to IMAP4 and POP3. EWS is used by the Outlook for Mac client and it’s also used by backup and migration products to stream Exchange Online data from mailboxes (backup) or import information into mailboxes (migration). It’s also possible that EWS is used by other third-party products. Overall, it’s unlikely that you can block EWS any time soon.
Understand and Manage Connection Protocols
The post about discovering and blocking basic auth makes two excellent points. First, you should understand what protocols are being used to connect to Exchange Online mailboxes in your tenant. If you don’t know who uses what protocols, you won’t be able to plan to manage the phase-out or control of protocols using basic auth.
Second, although all important user accounts should be protected by MFA, Azure Active Directory conditional access policies are a very flexible and convenient way to restrict basic auth connections to the lowest possible set, providing that is, if you’re willing to pay for Azure AD Premium licenses (which also enable other useful features such as Office 365 group expiry and naming policies). As the post reminds us, “Last year, we added the ability to block legacy authentication in conditional access” and goes on to explain a scenario where IMAP4 connections are restricted to specific IP addresses.
Creating a conditional access policy to block legacy email protocols
The post also points to another article describing how to use conditional access policies to block basic authentication. Given the world of threat that we live in and the number of attacks that flow in a continuous stream against Office 365 tenants, you should at least ask the question if you should deploy such a policy (perhaps even to a select group of users or client platforms) to eliminate or reduce the risk posed by basic authentication in your tenant. It’s the right thing to do.
For more information about identities and authentication in Office 365, read Chapter 3 of the Office 365 for IT Pros eBook.
Interesting note below by Microsoft. So… as the CA polices are applied after the first factor you can have lockout issues with federateded users. Here I was thinking we no longer need to the Auth polices anymore? Thoughts are both still needed?
Yep. CA policies are applied after successful authentication. That’s why blocking basic authentication is so important. If an attacker gets past the authentication hurdle they know their credentials are good – they might be blocked by a CA policy afterwards, but they can work on figuring out how to get around that.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Interesting note below by Microsoft. So… as the CA polices are applied after the first factor you can have lockout issues with federateded users. Here I was thinking we no longer need to the Auth polices anymore? Thoughts are both still needed?
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy
‘Conditional Access isn’t intended to be an organization’s first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.’
Yep. CA policies are applied after successful authentication. That’s why blocking basic authentication is so important. If an attacker gets past the authentication hurdle they know their credentials are good – they might be blocked by a CA policy afterwards, but they can work on figuring out how to get around that.