How our Web App to find Basic Authentication works. The details on the tool to help you find and fix legacy clients
Microsoft disabling Basic Authentication on Exchange Online is a big deal because it impacts one of the most basic services users are accustomed to have, email. We already explained why Microsoft is doing this, now we would like to share a few details on the Web App we implemented which scans all basic authentication devices and provides suggestions on how to fix them.
Sys/Tenant admins managing this task have three big issues, how can I easily find all the devices still on basic auth, how can I move them to Modern Authentication and how do I know if new legacy clients have connected to my tenant.
In this article will answer these questions and provide some helpful tips on how to handle this migration as easy as possible.
- I can find users/devices on basic auth using Azure AD Sign-in logs but how do I know the devices types ?
- How can I keep track of unique legacy clients still connecting to the tenant ?
- I have several iPad/iPhones using the native Mail App, how should I handle them ?
How our Web App finds all devices/users using legacy clients and shows the devices types ?
Our Web App requests to your tenant all the successful sign-in logs which were done through Basic Authentication protocols, that's it, nothing more, we don't look at any other type of entry. We only look at the successful connections because 99% of the time, the unsuccessful are brute force attacks to your user credentials (one of the reasons Microsoft wants to disable these protocols) so you don't need to see them.
After receiving the entries the Web App will only add to the Excel report the unique ones based on the user and device (i.e: a user can have one iPad and one iPhone using Exchange WebServices through basic auth). Then we show a few tips on how to upgrade them, for instance if the user is running Outlook 2013, by default it doesn't support Modern Authentication , a windows register key needs to be added to upgrade from Basic Auth, and we tell that on the report.
How do I know when a new device connects using basic authentication ?
Our Web app sends a daily report which lists the legacy clients that connected during the last 24h and which of those were new devices. This allows tenant admins to give priority to the new ones and send a reminder to the old ones informing they need to update their devices.
This gives a very quick insight at the beggingin of your day which devices need your atention , for instance you can start by adding to conditional access basic authentication blocking list the iPhones runningn iOS 15.6 or higher to force them to migrate to Modern Auth.
How to specifically handle iPhones/iPad on basic auth using native mail client app ?
iPhones and iPads connecting to Exchange Online using iOS native email app are one of the most common devices using basic authentication, to fix this Apple and Microsoft kinda joined forces and launched a feature on iOS 15.6 which automatically migrates them to Modern Auth provided a few steps are followed.
Nevertheless tenant admins still have an issue with this: how do I know which iOS version my tenant devices are running ?.That's where one of the nicest features of our Web App comes in, by analyzing several attributes of the sign-in entry we are able to show our customers if the iPhone/iPad need to be update to iOS 15.6 or if they are ready to be blocked through basic authentication conditional access policy (which will force the device to migrate to modern auth).
I still have doubts on a few issues specific to my tenant
Just gives a ping through our "I have a question" button in the lower right corner of our website, we'll be glad to help.