Microsoft OnPremise
      Back to home
      1. Support Center
      2. Data Sources
      3. Microsoft OnPremise

      How to Disable Basic Authentication for All Other Users but one

      How to ensure that the remaining accounts in your Exchange 2019 environment do not use Basic Authentication.

      To ensure that the remaining accounts in your Exchange 2019 environment do not use Basic Authentication, you can follow these steps to either disable the specific protocols that use Basic Authentication (IMAP, POP3, SMTP) or enforce the use of more secure authentication methods for these protocols.

      Step 1: Disable Basic Authentication for All Other Users

      1.1. Using Exchange Management Shell (EMS)

      You can use the following commands to disable POP3, IMAP, and SMTP for all users except the one that requires Basic Authentication.

      1. Disable POP3 for all users:

        powershell: Get-Mailbox -ResultSize Unlimited | Where-Object {$_.UserPrincipalName -ne "user@domain.com"} | Set-CASMailbox -PopEnabled $false

      2. Disable IMAP for all users:

        powershell: Get-Mailbox -ResultSize Unlimited | Where-Object {$_.UserPrincipalName -ne "user@domain.com"} | Set-CASMailbox -ImapEnabled $false

      3. Disable SMTP Basic Authentication for all users:

        powershell: Get-Mailbox -ResultSize Unlimited | Where-Object {$_.UserPrincipalName -ne "user@domain.com"} | Set-CASMailbox -SmtpClientAuthenticationDisabled $true

         

        Replace "user@domain.com" with the email address of the user who requires Basic Authentication.

      1.2. Using Exchange Admin Center (EAC)

      You can manually disable POP3, IMAP, and SMTP access for users who should not have Basic Authentication enabled.

      1. Login to EAC: Open the Exchange Admin Center.

      2. Navigate to Recipients:

        • Click on "Recipients" and then on "Mailboxes."

      3. Select Users:

        • Manually select users or multiple users by holding down the Ctrl key while clicking their names.

      4. Modify Protocols:

        • After selecting the users, click on "More options" and choose "Disable POP3" and "Disable IMAP" from the list.
        • For SMTP, check that the "SMTP client authentication" is disabled.

      5. Save Changes:

        • After making these changes, ensure to save the configuration.

      Step 2: Enforce Modern Authentication

      Modern Authentication (OAuth) provides more secure authentication mechanisms compared to Basic Authentication. To enforce Modern Authentication for remaining users, consider the following steps:

      2.1. Enable Modern Authentication Globally

      Ensure that Modern Authentication is enabled globally on the Exchange server:

      powershell: Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

      2.2. Restrict Basic Authentication at the Protocol Level

      To completely prevent users from using Basic Authentication, consider restricting it directly at the protocol level for the services involved (e.g., IMAP, POP3, SMTP).

      1. Disable Basic Authentication for IMAP:

        powershell: Set-ImapSettings -LoginType OAuthLogin

      2. Disable Basic Authentication for POP3:

        powershell: Set-PopSettings -LoginType OAuthLogin

      3. Disable Basic Authentication for SMTP:

        • For SMTP, configure the connectors or adjust the policies so that Basic Authentication is not allowed.

      Step 3: Use Conditional Access (If Using Azure AD)

      If your organization uses Azure AD, you can create Conditional Access policies to enforce the use of Modern Authentication and block legacy authentication methods (like Basic Authentication) for the remaining users.

      1. Create a Conditional Access Policy:

        • Go to Azure AD in the Azure portal.
        • Create a new policy targeting all users (or a specific group of users).
        • Under "Cloud apps," select "Office 365 Exchange Online."

      2. Block Legacy Authentication:

        • In the "Conditions" section, select "Client apps."
        • Choose "Other clients" and block these clients, which use Basic Authentication.

      3. Enforce Modern Authentication:

        • Under "Grant," configure the policy to require multifactor authentication (MFA) or other conditions that align with Modern Authentication.

      4. Enable the Policy:

        • Once the policy is configured, enable it to start enforcing Modern Authentication.

      Step 4: Monitoring and Auditing

      Regularly monitor and audit the authentication methods being used by your users:

      1. Review Logs:

        • Use the Exchange Admin Center or PowerShell to review logs for any instances of Basic Authentication being used.

      2. Set Up Alerts:

        • Configure alerts for any unexpected usage of Basic Authentication, especially if your organization is moving towards Modern Authentication.

      By following these steps, you can ensure that Basic Authentication is only enabled for specific users who need it, while the remaining users are configured with more secure authentication methods.