Exchange 2019

Exchange 2019

Switching off legacy authentication for Exchange Online


Keeping legacy authentication enabled in your Microsoft 365 tenant should be avoided; however, going ahead and disabling has traditionally been difficult. Unless you already have a good understanding of your clients, it may present a risk.

Recent improvements to Exchange Online make this simple to configure, and you can now retrieve the information you need to identify potential clients that might be affected.

In this article, we will walk through the process to identify clients using legacy authentication, then utilize the new functionality available to Exchange Online to disable legacy auth for selected protocols.

Reviewing legacy sign-ins to Exchange Online

Before disabling legacy authentication for Exchange Online, it is essential to ensure that clients won’t be affected or prevented from signing in, or if they will, gather enough information so that you can inform people who will be impacted.

You can do this in the Azure Active Directory portal by reviewing sign-in logs using dedicated capabilities to filter based on legacy authentication. To do this, navigate to the Azure AD portal and then select Sign-ins under Monitoring.

Learn more: Introducing Certificate-Based Authentication for Exchange Online Remote PowerShell with Microsoft MVP Vasil Michev

In this section, you will see all sign-in attempts to Azure AD, including sign-in to all Microsoft 365 services from all your clients. We’ll first make sure the information we need is clearly displayed by adjusting the columns displayed by adding client app, as shown below:

client app

Next, we’ll use Add filters to add a filter based on client app:

add filters

The filter for client app will allow us to reduce the list shown to only relevant clients. To do this, expand the filter and from the drop-down list only select the protocols listed under Legacy authentication clients:

Legacy authentication clients

This list is likely to show us both successful and unsuccessful sign-ins. Whilst unsuccessful sign-ins are a concern; we will focus on successful sign-ins to gain insight into what should be real sign-ins from our users. We’ll do this by using Add filters to add a filter based on Status:


We’ll then change the filter for Status to only show results that are a Success:

Status: success

You will then see what may be a long list of sign-ins from legacy authentication clients to Exchange Online. You can expand this using the Date filter to up to one month to gain more insights and use Download to export a list for review.

In the example below, we can see that many users widely use exchange Activesync. Therefore before disabling this protocol, we’ll need to move them to a modern-authentication capable client such as the Outlook App.

Learn more: How to Migrate Exchange Mailbox Permissions with Mike Weaver

If you examine the list and want to understand which legacy authentication protocols are not in active use and can be immediately disabled, then re-open the Client app filter and unselect protocols shown in your results. By unselecting Exchange Activesync, we will be able to see other protocols in active use then easily:

Exchange ActiveSync

We will repeat the process by removing other protocols in active usage until no results are shown. In the example below, we have discovered quickly that only Activesync and Exchange Web Services are in use, and there are no sign-ins over the last month from any other clients.

Exchange ActiveSync and Exchange Web Services

Selectively switching off legacy authentication

After discovering which protocols are not in active use, we are in a position where it becomes low-risk to disable legacy authentication.

Instead of using Exchange Online PowerShell, we can now use the Microsoft 365 admin center to disable legacy authentication for Exchange Online on a protocol-by-protocol basis affecting all users. To do this, navigate to Settings>Org Settings and choose Modern authentication from the services list. In the Modern authentication page, we’ll disable the legacy protocols no longer in use:

Modern authentication

You’ll note in the example above; we’ve disabled legacy authentication for IMAP4, POP3, Exchange Online PowerShell, and Autodiscover. For Exchange Online Powershell, this means you must use either the V2 module or the deprecated V1 module that supports MFA. By disabling legacy authentication to Autodiscover, we will prevent additional legacy clients from attempting to discover Exchange Online information.

Because we know legacy Activesync is in use in our organization and there is a small amount of active legacy Exchange Web Services usage, we’ll leave these protocols enabled.

Once we are happy with the settings, we’ll choose Save to apply these to all Exchange Online clients.

Disabling Legacy Authentication for all Exchange Online services

Using our sign-in log information, we will upgrade or reconfigure discovered clients to use modern authentication. After re-running the steps to filter Azure AD sign-ins and confirming we no longer have any active usage of legacy authentication, we’ll re-visit the Microsoft 365 admin center and disable legacy authentication for all Exchange Online protocols:

Modern authentication options

Further improving security for Microsoft 365 and Exchange Online

Disabling legacy authentication to Exchange Online isn’t the panacea of Microsoft 365 security – it is just one step towards helping keep the environment secure from particular threats, like password spray attacks.

Suppose you have Microsoft 365 E3, Microsoft 365 Business Premium, EMS E3, or Azure AD Premium licenses. In that case, you should consider configuring Conditional Access in your environment to selectively enable Azure Multi-Factor Authentication or configure rules to only allow access to your environment from Intune enrolled devices, Hybrid Azure AD domain-joined PC – or other criteria, such as IP address.

However, suppose you don’t have Conditional Access available. In that case, you may want to consider using Azure AD Security Defaults or (if you need it on a per-user basis) Office 365 multi-factor authentication. Azure AD Security Defaults is particularly useful if you wish to have a guided process over 14 days rather than immediately. It also provides additional MFA protection to privileged administrative actions in your tenant.

Source Practical365

read more
Exchange 2019

Microsoft Exchange Servers Targeted by New PowerShell Backdoors


Security researchers have discovered a pair of brand-new Microsoft PowerShell vulnerabilities following an attack on a Microsoft Exchange server. While the attacks are from last year, it seems the responsible group used a new method.

According to Palo Alto’s Unit 42 security team, a threat group called xHunt is responsible for the attack. This group has been known to target organizations in Kuwait, including a 2018 breach of the country’s government system.

A newer attack that occurred around August 22, 2019 shows the group has a new way of breaching targets. Specifically, two new PowerShell backdoors were used. One has been dubbed “TriFive” and other is called “Snugy.”

“Both of the backdoors installed on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, specifically DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account,” say researchers from the Palo Alto team.

How it Happened

While last year’s attack has been discovered, researchers are not clear how the group succeeded in accessing a Microsoft Exchange server. The attack was reported over a year after it happened when an organization found suspicious commands though the Internet Information Services (IIS) process w3w.exe.

On the server, the team says it “did discover two scheduled tasks created by the threat actor well before the dates of the collected logs, both of which would run malicious PowerShell scripts. We cannot confirm that the actors used either of these PowerShell scripts to install the web shell, but we believe the threat actors already had access to the server prior to the logs.”

Two scheduled tasks “ResolutionHosts” and “ResolutionsHosts” were used in c:\Windows\System32\Tasks\Microsoft\Windows\WDI to persistently run PowerShell scripts every 30 minutes and every five minutes.

“The scripts were stored in two separate folders on the system, which is likely an attempt to avoid both backdoors being discovered and removed,” add the researchers.

Source Winbuzzer

read more
Exchange 2019

Microsoft: ‘Expect a bumpy ride’. These are 2019’s top 10 tech challenges


Microsoft president Brad Smith reckons the tech sector could be in for a “bumpy ride” in 2019, with new US national privacy regulation, an ongoing trade war with China, a US resistant to diplomatic responses to hacking and election meddling, and regulatory responses to artificial intelligence.

Key changes that could broadly affect the tech sector include a proposal by the Department of Commerce in November to add artificial intelligence to its controlled exports schedule due to their importance to national security.

Smith, who’s also Microsoft’s chief legal counsel, says across both sides of American politics there is “greater appreciation of China’s momentum in artificial intelligence and other technology and heightened concern about its economic and national security implications”.

Smith doesn’t mention Donald Trump but notes the “steady wave of US tariff increases on Chinese imports” that the US President hoped would boost Chinese purchases of American products, though not necessarily technology products.

Last year Apple CEO Tim Cook called for regulation of internet companies, while Facebook CEO Mark Zuckerberg grew to accept that new rules will come. Smith writes that last year saw broadening acceptance among tech leaders of the need for some regulation.

But what type of regulation could the US introduce? Smith points to a paper from Democrat Senator Mark Warner from Virginia. The paper proposes a duty on social-media platforms like Facebook to, in Smith’s words, “determine the origin of accounts or posts, identify bogus accounts and notify users when bots are spreading information”.

“Warner has played a steady leadership role on the Senate Intelligence Committee, and the coming months will likely put added spotlight on these ideas,” writes Smith.

He’s also upbeat about the prospect for national privacy legislation, thanks to California’s new privacy laws. The laws, considered the toughest in the nation, allow customers to request companies stop collecting and selling personal data.

“Look to the next few months for the spread of privacy legislation to several other state capitals, all of which will set the stage for an even bigger debate on Capitol Hill,” writes Smith.

Smith called French President Emanuel Macron’s effort to find a diplomatic solution to state-sponsored hacking and election meddling “last year’s biggest step” to address these attacks on democracy.

Smith notes that Macron’s Paris Call signatories included all EU members and 27 of 29 NATO allies, but not the US. “The New Year brings a new opportunity to bring everyone together,” he writes.

He also expects lawmakers to debate artificial intelligence in early 2019. In December, Smith outlined why Microsoft’s believed new laws are immediately required to regulate the use of facial-recognition technologies.

“The early months of 2019 will see the legislative focus in the US shift to state capitals, with the issue likely to move to Washington, DC before the year ends,” he writes.

“In the EU, authorities are monitoring facial recognition and other biometric techniques under the GDPR, and the European Commission has started reviewing the ethical issues more broadly. Globally, this is an issue that’s just getting started.”

read more