Block Legacy Authentication Exchange Online – Different Options and Order

 

Its been a week since I blogged, Today I am writing about various ways that Office 365 admin can block legacy authentication  and the order in which it is applied.

In the long past for one of our customers, we had implemented the script that disables POP/IMAP on exchange online at mailbox level.

Set-CASMailbox -Identity sukhija1 -ImapEnabled:$false

Set-CASMailbox -Identity sukhija1 –PopEnabled:$false

 

Customer contacted us and said why this success for IMAP is coming in Azure AD audit logs, if it is blocked.

 

 

At first, we also got confused but after some thought and verifying it with Microsoft it is expected, only authentication is passed but user is still blocked on accessing anything by using IMAP protocol.

 

So how to avoid this?

Answer lies in the order in which different legacy authentication blocks are applied.

  1. New-AuthenticationPolicy
  2. Conditional Access Policy
  3. CAS Mailbox

Both Conditional Access Policy and CAS mailbox are applied after the authentication layer, only New-AuthenticationPolicy is applied before the authentication. (refer for details :
Disable Basic authentication in Exchange Online)

 

With New-AuthenticationPolicy block will happen even before the authentication, see below picture depiction:

 

 

Create the authentication policy by using the below cmdlet:

New-AuthenticationPolicy -Name “Block Basic Auth”

 

To apply the authentication policy to the user use:

Set-User -Identity sukhija1@labtest.com -AuthenticationPolicy “Block Basic Auth”

If you need granularity and want to do it at specific protocol level (refer below link for details:)

New-AuthenticationPolicy

With this small post I want to touch base on this aspect of legacy authentication block as same query can be directed towards you and now you will be able to answer it with an explanation.

 

Thanks for reading…

Tech Wizard

https://techwizard.cloud

https://syscloudpro.com/

PowerShell Cheat Book

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s