As Microsoft implements modern authentication across Office 365, administrators need to understand how to use and control the authentication framework to avoid disruptions.
Modern authentication is an updated set of authentication protocols and policies for Office 365 and Azure that allow improved authentication scenarios. Modern authentication is the term Microsoft uses for its version of OAuth 2.0 to utilize multifactor authentication, smart card authentication and other advanced authentication flows that were not possible with basic, or legacy, authentication.
Using modern authentication on Exchange Online
Modern authentication isn't one protocol or one feature in Microsoft's cloud-based collaboration platform. Office 365 modern authentication can look and feel different in different Office 365 applications and in different scenarios. To keep it straightforward, this tutorial will focus on modern authentication for Exchange Online, the hosted email platform.
If your organization uses modern authentication, the authentication prompt you'll see in Outlook 2013 or later will look like notification in the screenshot when you have multifactor authentication turned on. You may also see an authentication prompt for PowerShell sessions or logging in to Outlook on the web.
Modern Authentication for Exchange Online only works with Outlook 2013 and later, supported web browsers, Outlook Mobile, Outlook for Mac 2016, and Exchange ActiveSync in iOS 11 or later. If you use Outlook 2010 or earlier, modern authentication will not work.
To verify Office 365 modern authentication is turned on, enter the following command into a PowerShell session connected to Exchange Online.
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
As you can see in the screenshot, I have Modern Authentication turned on for my tenant.
As of the publication of this article, most Office 365 tenants should have modern authentication turned on by default for Exchange Online. A few organizations that have it turned off have most likely taken steps to disable it. One reason for this could be that modern authentication caused problems with some of the Exchange protocols. This is where authentication policies can help.
Working with authentication policies
When Microsoft introduced modern authentication to Exchange Online, it was an all-or-nothing prospect. The recently introduced New-AuthenticationPolicy cmdlet gives administrators the flexibility to build policies to control which protocols in Exchange Online use modern authentication and which do not.
You are not restricted to a single authentication policy, so you can create a unique policy to use a different authentication method for different user groups.
Why would you want to create one or more authentication policies? You might have an application that needs Exchange Web Services access to mailboxes, but also only uses basic authentication. Maybe you have a group of users who have an Outlook plugin they need, but it only runs in Outlook 2010.
Authentication policies are not the only way to control how users access your organization's data in Office 365. Setting an authentication policy that forces some or all your users to use multifactor authentication is effective, but you can get the same result with conditional access policies. However, authentication policies do not require an additional license, while conditional access does.
How to set up an authentication policy
Using the New-AuthenticationPolicy cmdlet is simple. This cmdlet toggles basic authentication for the following Exchange protocols: ActiveSync, Autodiscover, IMAP and POP3, SMTP, MAPI HTTP, RPC over HTTP (Outlook Anywhere), Exchange Web Services, REST API access, offline address book, Reporting Services, Outlook Service and PowerShell.
Run the following PowerShell command to create a default policy:
New-AuthenticationPolicy -Name "Base Company Policy"
To disable basic authentication for each of the listed protocols, add a switch such as -AllowBasicAuthActiveSync $false for each protocol. Set-AuthenticationPolicy can be used to set the allowed protocols after a policy is created.
How to assign authentication policies
You'll find Get, Set, and New as the verbs for the AuthenticationPolicy cmdlets, but you won't find Assign. The assignment of authentication policies is handled via other PowerShell cmdlets.
After you create your authentication policies, you can assign them to a single user with the Set-User cmdlet as shown in the sample below:
Set-User -Identity Nathan@MCSMLab.com -AuthenicationPolicy "Base Company Policy"
As you can surmise, this is not an efficient way to assign a policy to 10,000 users. The PowerShell pipeline is one solution for this problem. Do a Get-User and filter it to the set of users you want, then pipe that to a Set-User to assign the authentication policy.
If you want to assign a default authentication policy to your entire tenant, use the Set-OrganizationConfig cmdlet as shown in the example below:
Set-OrganizationConfig -DefaultAuthenticationPolicy "Base Company Policy"
This is how you assign authentication policies. Remembering they are assigned with Set-User or Set-OrganizationConfig will save you a bit of frustration.
As of this article's publication, there is no reporting in Office 365 that tells you which or how many clients use basic authentication. If someone in your organization is using a client that requires basic authentication, the only way you will know it is after you disable basic authentication. Be careful when assigning policies and be ready to undo them if you find a number of users get locked out of their email.