Cloudbrothers
Azure Attack Paths Posts Categories About me Talks english
Cloudbrothers

Contents

Phase out Legacy Authentication - Enable Modern Authentication

 included in Microsoft 365 Security Azure AD Entra ID Identity and Access Conditional Access
   345 words   2 minutes 

Blog series

This is part two of the six-part series on “Phase out Legacy Authentication”.

  1. Preface
  2. Enable Modern Authentication
  3. Create prerequisites
  4. Gain insights
  5. The first 90%
  6. The next 9%
  7. Endgame

Enable Modern Authentication

This step may seem strange, but in old tenants (created before 01.08.2017) Modern Authentication for Exchange Online and Skype for Business Online is not necessarily enabled.

Exchange Online

For Exchange Online, the Exchange Online PowerShell V2 module must be installed to enable Modern Authentication.

Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

Check current configuration

Connect-ExchangeOnline
Get-OrganizationConfig | Select OAuth2ClientProfileEnabled

If the value for OAuth2ClientProfileEnabled is not True, Modern Auth still needs to be enabled.

Enable modern auth

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
# Check if change was made
Get-OrganizationConfig | Select OAuth2ClientProfileEnabled

/en/phase-out-legacy-authentication-enable-modern-authentication/images/ExchangeOnlineModernAuthEnabled.png

Skype for Business Online

Warning

Microsoft has removed the Get-CsOAuthConfiguration cmdlet from the Microsoft Teams module. The latest version containing the cmdlet is 4.5.0.

Sadly it is not enough to just use the old version of the module. It will result in the following error message:

Get-CsOAuthConfiguration: This cmdlet is no longer supported, please consult public documentation

Since Skype for Business Online was retired on 31 July 2021 this should not be a problem.

Thanks to @renedelamotte for bringing this to my attention.

Info
Even if Skype is not used in the environment and only Teams is used, Modern Authentication should also be enabled. Teams Room systems otherwise use legacy authentication by default, which makes subsequent analysis more difficult.

In the latest version of the Microsoft Teams PowerShell module, the configuration of Skype for Business Online is also possible. The separate installation of the Skype for Business Online Connector is therefore no longer necessary.

Install-Module -Name MicrosoftTeams -Scope CurrentUser -RequiredVersion 4.5.0

Check current configuration

Import-Module -Name MicrosoftTeams -RequiredVersion 4.5.0
Connect-MicrosoftTeams
Get-CsOAuthConfiguration | Select-Object ClientAdalAuthOverride

If the value for ClientAdalAuthOverride is not Allowed, Modern Auth must be enabled.

Enable modern auth

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
# Check if change was made
Get-CsOAuthConfiguration | Select-Object ClientAdalAuthOverride

/en/phase-out-legacy-authentication-enable-modern-authentication/images/Skype4BusinessModernAuthEnabled.png

Next step

Now that clients can actually use Modern Authentication, it is important to set the stage to disable Legacy Authentication.

Updated on 2022-08-23
Back | Home