Microsoft claims it will shut down basic authentication for IMAP, POP, EWS, ActiveSync and PowerShell in Exchange Online on Oct 13th 2020. That means you'd have to use "modern authentication" for connecting these services in Office 365. This won't affect on-prem Exchange Servers, you'd "only" be worried about apps connecting cloud mailboxes.
Edit: Microsoft postponed deprecation of Exchange Online basic authentication due to COVID-19 situation. New estimated deadline is around Q2/2021.
Impact is brutal. Clients using basic authentication after deadline will fail to connect Exchange Online. That includes all Android devices using native mail or calendar clients, iOS devices OS older than 12.1 using native mail or calendar apps. Backend systems connecting mailboxes with Exchange Web Services, POP or IMAP. All dead. Död. Kaputt.
Remediation actions recommended by Microsoft: update backend systems to use OAuth and switch to Graph API. Instruct mobile users to use Outlook App.
So, how can I know if my organization is using basic auth?
Short answer: investigate Azure AD sign-in logs.
Azure Ad Sign-ins log
We can access AAD logs directly from Azure Active Directory - Monitoring - Sign-ins.You can try to guess which client apps to follow. I'd say that basic "Sign-ins" logs view is only usable when investigating connectivity of a single account or a very narrow timeframe.
Azure Active Directory Workbooks
Relatively new AAD workbooks offer good overview of tenant sign-ins. First graph shows number of total signins and by clicking bars, you'll get individual signins of selected protocol. From details you can click yourself to Log Analytics Workspace query window.Using AAD Workbooks requires connecting AAD logs to Log Analytics Workspace (or to Sentinel). If connection has been established and LA Workspace access granted, you can take advantage of pre-built workbooks like "Sign-ins using Legacy Authentication"
Log Analytics or Sentinel
In Azure you can do whatever you want. With AAD logs I mean. Build your own dashboards, hunting workbooks, analytics, alerts, playbooks... Here's couple of simple queries to start with.List of all unique accounts using legacy client connectivity:
SigninLogs
| where ClientAppUsed in (
"Exchange ActiveSync",
"Other clients",
"IMAP4",
"POP3")
and ResultType == "0"
and AppDisplayName =~ "Office 365 Exchange Online"
and TimeGenerated > ago(30d)
| distinct UserPrincipalName , ClientAppUsed , Location , IPAddress
And overview of usage of the same set of selected client apps:
SigninLogs
| where ClientAppUsed in (
"Exchange ActiveSync",
"Other clients",
"IMAP4",
"POP3")
and ResultType == "0"
and AppDisplayName =~ "Office 365 Exchange Online"
and TimeGenerated > ago(30d)
| summarize dcount(UserPrincipalName) by ClientAppUsed
| sort by dcount_UserPrincipalName desc
| render columnchart
NOTE that Microsoft has changed ClientAppUsed app names for all legacy clients starting Jan 25th. In case you have script/log analytics based monitoring, you should review new app names and update your kusto queries.
Old legacy auth ClientAppUsed values:
- Exchange ActiveSync (supported)
- Exchange ActiveSync (unsupported)
- Other clients
- Other clients; Older Office clients
- Other clients; IMAP
- Other clients; POP
- Other clients; SMTP
- Other clients; MAPI
New ones (visible in logs from Jan 25th until Feb 15th):
- Exchange ActiveSync
- Other clients
- IMAP4
- POP3
- Authenticated SMTP
There might be others in the future. Logs are lacking EWS, AutoDiscover and PowerShell at least (were already clickable in AAD sign-ins filtering).
Custom scripting
There's Graph API available for reading sign-in logs: https://graph.microsoft.com/beta/auditLogs/signInsI will be posting a separate article on that one. See you soon!
No comments:
Post a Comment