Identify Basic Authentication logins for Exchange Online in Azure AD

#Exchange #AzureAD #security

Microsoft has announced several times that they are depreciating Basic Authentication for Exchange Online soon, possibly this month (January 2023).

A recent post has information about the deprecation and how to prepare for it.

I wanted to write down how to identify any Basic Authentication usage in your environment from that post and simplify it to just a few clicks. This is a good way to identify any applications that are using Basic Authentication and need to be updated before they get blocked.

Navigate to the Azure AD portal sign in to Azure AD with an account that has Global Administrator permissions.

Select Azure Active Directory > Sign-in logs: Screenshot of Azure AD dashboard

Add some filters in the top bar, specifying the time range you want to search. For Client app select all options that are under the “Legacy Authentication Clients” section of the dropdown:

Screenshot of Azure AD Sign-in logs, dropdown for Legacy Authentication Clients

To filter out the brute force login attempts, change Result type to Success.

This list will give you all of the sign in attempts that are using Basic Authentication. You can then use this list to identify the applications that are using Basic Authentication and update them before they get blocked:

Screenshot of Azure AD Sign-in logs for Basic Authentication

The easiest way to get these logins remediated is to implement an Azure AD Conditional Access policy that blocks or audits Basic Authentication. You can then use this information and contact the application owners or users to get these methods updated.

Discuss...