What this leaves us with, is an internet exposed authentication system that accepts username and password logins without any other layers of authentication, even if you have 2FA and conditional access turned on.Īs per Microsoft’s documentation around disabling basic authentication covers, this lets attackers use brute force or spray attacks to try different credentials to get into your tenant. That’s great, but many systems weren’t built or haven’t been updated to support this – they’ll just fail when logging in. It’s too risky in that many ways, and things like 2FA and Conditional Access add an extra layer of security when logging in. In our modern world, that doesn’t work too well anymore. This is because that’s the ‘standard’ way things have worked for a very long time – you want to get your emails, you provide a username and password and you’re done. This had been on my to-do list for a little while since I heard about it (mostly from Daniel Streefkerk who quite rightly has been drawing attention to this via Twitter, thanks! )– and it should be on yours too.īy default, Basic Authentication is allowed as an authentication method in Exchange Online.
0 Comments
Leave a Reply. |