The clock is ticking for administrators to prepare for a move to a more stringent method to access Exchange Online and other Microsoft cloud services.
With Microsoft's push to get its Microsoft 365 customers to switch and implement modern authentication for its online services by October, cloud administrators should plan for the changes that will affect their users and environment to avoid any potential disruptions to email and other key services.
Modern authentication delivers a new set of security capabilities and protocols used to authenticate to Microsoft Azure and Microsoft 365 services. One of the key enhancements and motivations to go with modern authentication is customers can use Microsoft's multifactor authentication (MFA) and enhanced security that comes with OAuth 2.0. These updates offer a layer of protection against attacks for credentials that have generally posed a significant risk with traditional authentication methods.
The change with authentication in the Office 365 services will affect Exchange Online more than any other service as it requires some email client upgrades for many organizations that still run older versions of Outlook. When using modern authentication with a newer version of Outlook, users will get a new authentication pop-up that offers the support for MFA. On the Windows client side, Exchange Online modern authentication only works with Outlook 2013 and later. While Outlook 2016 uses modern authentication by default, Outlook 2013 does not and requires several registry key changes to switch to modern authentication.
On Sept. 1, Microsoft announced it will let customers re-enable basic authentication for selected protocols one time after the Oct. 1 deadline until the end of 2022. Microsoft said it will permanently disable basic authentication for these protocols in the first week of January 2023.
Clients outside of Windows systems that support Exchange Online modern authentication include the following: Outlook 2016 for Mac or later, Outlook for iOS and Android, and Mail for iOS 11.3.1 or later.
How to change the modern authentication settings
To check if the Microsoft 365 tenant is configured for modern authentication, run the following PowerShell command:
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
If the output is True, then modern authentication is on. Otherwise, it is not enabled.
The following PowerShell command turns on modern authentication for the Office 365 tenant:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Administrators make and assign authentication policies to users to block basic authentication to Exchange Online, which prevents the request from going to Azure Active Directory or Active Directory Federation Services, depending on how the organization handles authentication.
Some organizations may have to set up specific user authentication policies to support specific business needs. For example, the business might use an application that relies on Exchange Web Services (EWS) to access mailboxes but only uses basic authentication. PowerShell is one tool that can define these specific policies to match the business requirements.
How to set up a new authentication policy with PowerShell
It is highly recommended to use the Exchange Online PowerShell V2 module to connect to Exchange Online PowerShell to perform these types of modifications.
The following example creates an authentication policy named "Test Group" that blocks legacy authentication methods for multiple protocols -- this forces any users with this policy to sign in with modern authentication across the numerous Microsoft 365 services:
New-AuthenticationPolicy -Name "Test Group" -BlockLegacyAuthActiveSync -BlockLegacyAuthAutodiscover -BlockLegacyAuthImap -BlockLegacyAuthMapi -BlockLegacyAuthOfflineAddressBook -BlockLegacyAuthPop -BlockLegacyAuthRpc -BlockLegacyAuthWebServices
To assign the authentication policy to a specific user, run the following command:
Set-User -Identity [email protected] -AuthenicationPolicy "Test Group"
If tenant administrators decide to make a specific policy the default for the entire organization, then they can execute the following command:
Set-OrganizationConfig -DefaultAuthenticationPolicy "Test Group"
There is a delay of 24 hours when the administrator applies a new or updated policy on users. This is a default setting in Exchange Online. To make the policy apply immediately, run the following command:
Set-User -Identity [email protected] -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)
To keep track of the authentication policies in the tenant, run the following command:
Get-AuthenticationPolicy | Format-Table Name -Auto
For in-depth information for a policy, use the name of the policy with the example from the following PowerShell command:
Get-AuthenticationPolicy -Identity "Test Group"
How to use the admin portal to change modern authentication settings
Administrators can also configure the authentication options in the Office 365 admin portal from the admin.microsoft.com URL.
Once in the portal, go to Settings > Org settings > Modern authentication to start the adjustments.
What modern authentication brings to the enterprise
Turning on modern authentication lets customers deploy new security features and stronger protections for the services and data hosted in Microsoft 365. However, the change means customers must meet the minimum requirements in the Office suite and any other third-party components that still rely on EWS that may need to be validated to check their compatibility with modern authentication.