Turning off basic/legacy auth for O365
188 views
Skip to first unread message
Kurt Buff
Jun 23, 2021, 1:57:25 PM6/23/21
to ntsys...@googlegroups.com
All,
I'm on top of turning off basic auth for O365. Modern auth has been
turned on for a while.
I'm preparing to use the O365 Admin Center, under Services/Modern
Authentication and turn off all of the basic auth (with the possible
exception of Authenticated SMTP). I do know that the sysadmin who's
normally responsible for O365 (and is currently on vacation, which is
why I'm asking here) has whitelisted our IP addresses for things like
scan-to-mail, so I think that's taken care of.
I've identified and notified a handful of people who show BAV2ROPC as
their user agent, but I've also identified a sender from a 3rd party
(cloud) service using one of our email addresses as the sender. The
account shows login from AWS.
If you've dealt with this, how have you made it work?
I'm not much up on O365 administration, as that's not my main
functional area - any pointers on this would be appreciated.
Thanks,
Kurt
I'm on top of turning off basic auth for O365. Modern auth has been
turned on for a while.
I'm preparing to use the O365 Admin Center, under Services/Modern
Authentication and turn off all of the basic auth (with the possible
exception of Authenticated SMTP). I do know that the sysadmin who's
normally responsible for O365 (and is currently on vacation, which is
why I'm asking here) has whitelisted our IP addresses for things like
scan-to-mail, so I think that's taken care of.
I've identified and notified a handful of people who show BAV2ROPC as
their user agent, but I've also identified a sender from a 3rd party
(cloud) service using one of our email addresses as the sender. The
account shows login from AWS.
If you've dealt with this, how have you made it work?
I'm not much up on O365 administration, as that's not my main
functional area - any pointers on this would be appreciated.
Thanks,
Kurt
Josh Doty
Jun 23, 2021, 2:06:07 PM6/23/21
to ntsys...@googlegroups.com
At our orgs that use o365, we first audit for basic auth services via the Azure AD sign in logs. Then once we're sure that devices/users aren't using basic auth we add the o365 accounts to a conditional access policy blocking access to basic auth services.
We also then modify the default mail box settings for the tenant to have imap/smtp disabled by default. This blog talks about the process with using Powershell https://gcits.com/knowledge-base/disable-pop-imap-mailboxes-office-365/
If there are any accounts that /need/ imap/pop like scanners and such we exclude them from the conditional access policy disabling basic auth, and ensure that imap/pop are enabled on their mailbox.
Bare in mind to use Conditional access you need Azure AD p1 and above for all users you wish to apply sign in policies to, if you can't afford that enforcing MFA and disabling imap/pop is a good start.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4WbD473HYAeXaMq_m7ibtox%2B_FrKN2u3Bs1%3DxoC9fKCA%40mail.gmail.com.
We also then modify the default mail box settings for the tenant to have imap/smtp disabled by default. This blog talks about the process with using Powershell https://gcits.com/knowledge-base/disable-pop-imap-mailboxes-office-365/
If there are any accounts that /need/ imap/pop like scanners and such we exclude them from the conditional access policy disabling basic auth, and ensure that imap/pop are enabled on their mailbox.
Bare in mind to use Conditional access you need Azure AD p1 and above for all users you wish to apply sign in policies to, if you can't afford that enforcing MFA and disabling imap/pop is a good start.
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4WbD473HYAeXaMq_m7ibtox%2B_FrKN2u3Bs1%3DxoC9fKCA%40mail.gmail.com.
Mike
Jun 23, 2021, 2:42:53 PM6/23/21
to ntsys...@googlegroups.com
FYI - the Azure AD sign-in log will only show you 7 days by default (I believe). You need at least one Azure AD P1 or P2 license to see more log data. If you don't plan to use Conditional Access Policies (or any of the other features in P1 or P2) at least get one license for yourself (and for other admins where you are) so you can see the expanded log.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BY3PR18MB478817AEFD9139CD41FA25C7F5089%40BY3PR18MB4788.namprd18.prod.outlook.com.
Kurt Buff
Jun 23, 2021, 2:50:21 PM6/23/21
to ntsys...@googlegroups.com
Right - I should have mentioned that we don't have premium licensing
(well, we have 10 P1 licenses, and 4 P2 licenses, but those won't
cover the 800+ employees).
I'm looking over the blog post now.
Kurt
> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BY3PR18MB478817AEFD9139CD41FA25C7F5089%40BY3PR18MB4788.namprd18.prod.outlook.com.
(well, we have 10 P1 licenses, and 4 P2 licenses, but those won't
cover the 800+ employees).
I'm looking over the blog post now.
Kurt
Kurt Buff
Jun 23, 2021, 2:51:21 PM6/23/21
to ntsys...@googlegroups.com
I have a P2 assigned to my admin account, so that's good to know.
Kurt
> To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BSdsNGBeL9Spa0WjGiMzUS%2Bfu2A9F3O219Xz5g6Rck2Q3dfMw%40mail.gmail.com.
Kurt
Reply all
Reply to author
Forward
0 new messages