Skip to main content

Three PowerShell Scripts That Find Basic Auth in Every Tenant Before Microsoft Pulls It

Nick Ross3 min read

TL;DR

  • Effective October 1, 2022, Microsoft permanently disables basic authentication in all tenants regardless of usage, with SMTP AUTH the only protocol that can be re-enabled afterward.
  • Beginning in early 2022, Microsoft will pick tenants and switch off basic auth for all affected protocols except SMTP AUTH for 12 to 48 hours at a time.
  • The affected protocols are Exchange Web Services, Exchange ActiveSync, POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB.
  • Three open-source PowerShell scripts use the Secure Application Model to report basic auth sign-ins and settings across every customer tenant an MSP manages.
  • SMTP auth can be disabled at the tenant level and re-enabled per user, which keeps copiers and printers working while closing the door everywhere else.

Somewhere in your customer base there is a copier, a ticketing system, or a line-of-business app still signing in with a username and password over a legacy protocol. Microsoft has now put dates on when that stops working, and the early ones are closer than October 2022. This post covers what Microsoft announced in September 2021 and shares a set of multi-tenant PowerShell scripts we built to find basic auth across every customer you manage.

The full announcement: Basic Authentication and Exchange Online, September 2021 Update (opens in new tab)

What did Microsoft actually commit to?

  • The scope covers Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB.
  • Effective October 1, 2022, Microsoft begins permanently disabling basic auth in all tenants, regardless of usage. The one exception is SMTP AUTH, which can still be re-enabled after that date.
  • The part that should worry you most: beginning in early 2022, Microsoft will selectively pick tenants and disable basic auth for all affected protocols except SMTP AUTH for a period of 12 to 48 hours. You can request that specific protocols not be turned off on a per-tenant basis; instructions are in the announcement linked above.

Those temporary shutoffs mean "we will deal with it next year" is not a plan. A tenant you have not audited can lose a working integration for two days with no warning.

Where basic auth usually hides

Before the scripts, the remediation picture:

The reporting toolkit: three scripts, every tenant

We published a GitHub repository built to help MSPs report basic authentication across all customers under management. It consists of three PowerShell scripts:

What you need before running them

The scripts authenticate through the Secure Application Model, which gives you a headless connection into all of your customer environments. You will need to gather the tokens and GUIDs it produces. Kelvin Tegelaar at CyberDrain maintains the script that sets this up: Create-SecureAppModel.ps1 on GitHub (opens in new tab).

Audit_Log_Activity.ps1: who is still signing in the old way

Make sure your app registration carries this permission:

Microsoft Graph => AuditLog.Read.All (Delegated)

The script walks each customer tenant, looks for basic auth sign-ins, and presents them on screen:

PowerShell output showing basic auth sign-ins per customer tenant

It also generates a CSV listing every basic auth sign-in found across all customers, ready for remediation planning or a customer conversation:

CSV report of basic auth sign-ins across all managed tenants

Get_basicAuth_settings.ps1: what each tenant allows

This script pulls all authentication settings within a tenant. In the UI, most of these live under Settings > Org Settings > Modern Authentication:

Modern authentication settings in the Microsoft 365 admin center

One caveat to know going in: if the settings in a tenant have never been modified, the PowerShell cmdlets do not return them. For tenants sitting on untouched defaults, this script may come back empty, so treat a blank result as "defaults in place," not "nothing to do."

SMTP_auth_disabled.ps1: the copier-and-printer check

SMTP auth tends to be the most common holdout because of devices like copiers and printers. It can be enabled or disabled at both the tenant level and the user level, and the two can disagree: a tenant can have SMTP auth off globally while individual users still have it on. This script checks the tenant-level setting for each company and reports the results to a CSV:

CSV report of tenant-level SMTP auth status across customers

Run all three, and you have a defensible picture of where every customer stands before Microsoft starts flipping switches.

Frequently asked questions

Which protocols does the basic auth shutdown cover?

Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB. As of the September 2021 update, everything except SMTP AUTH stays off permanently once Microsoft disables it on October 1, 2022.

Can you stop Microsoft from temporarily disabling basic auth in a tenant during early 2022?

You can request that specific protocols not be turned off on a per-tenant basis. The instructions are in Microsoft's September 2021 basic authentication update on the Exchange Team blog.

Why does the audit log script require Azure AD Premium P1?

The script reads Azure AD sign-in logs through the Graph API to find basic auth sign-ins in a 30-day window, and sign-in log access requires customers to hold an Azure AD P1 license.

Why might the tenant settings script return nothing?

If the authentication settings in a tenant have never been modified, the Exchange Online PowerShell cmdlets do not return them. Tenants still on pure defaults will show empty results from Get_basicAuth_settings.ps1.

Legacy auth is a control, not a one-time project

Finding basic auth once is the easy part. CloudCapsule rechecks legacy authentication and 250+ other controls across every tenant you manage in about 60 seconds each, so nothing quietly turns back on.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading