In a previous article, we discussed how a conditional access policy blocking basic authentication prevents Outlook clients (leveraging RPC over HTTP) from reconfiguring after a mailbox migration to Exchange Online. This is due to RPC over HTTP not supporting modern authentication. On the other hand, Outlook clients leveraging MAPI over HTTP would reconfigure without incident. This is due to MAPI over HTTP supporting modern (and basic) authentication.
This article explores how security defaults, which Microsoft has been enabling on all new tenants to block basic auth, could also prevent Outlook clients (leveraging RPC over HTTP) from reconfiguring after migration to Exchange Online.
How to check if Security Defaults are enabled (modern authentication is enforced)
To determine if security defaults are enabled in your tenant.
Log into the Microsoft 365 Admin Center. From the left pane expand Settings and select Org Settings. From the Services tab, select Modern Authentication. The Modern Authentication pop-out will identify if security defaults have been enabled.
The screenshot below shows the message that security defaults are enabled, indicating that modern authentication is required and basic auth connections are blocked.
If security defaults have not been enabled in your tenant, the modern authentication pop-out will have configurable options. The screenshot below shows that modern authentication has been enabled (but it is not enforced). We can also see which protocols permit clients to use basic auth. Based on the selections in the screenshots, Outlook clients are still permitted to use basic auth (via either RPC over HTTP or MAPI over HTTP).
Tip: While not the focus of this article, I highly recommend working towards disabling basic auth on as many protocols as you can before the October 1st, 2022 deadline. This not only improves your security posture prior to October but also gets you prepared for the retiring of basic auth.[Read more…] about RPC/HTTP & Security Defaults may prevent Outlook reconfiguration after migrating to Exchange Online