If the Office.com accounts are being constantly locked out, you can’t really tell by the ADFS logs if it is an email account that is being attacked, or if it is the general Office account. In my case, it was email, and so with MS new rules, we were able to turn off Basic authentication. This fixed 90% of our issues.
To do this from an admin workstation via powershell (Only at this time);
- $UserCredential = Get-Credential
- Use your o365 account -> Me@mycompany1.onmicrosoft.com
- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
- Import-PSSession $Session
- Set-User -Identity NEWUSER@mycompany.com -AuthenticationPolicy basic
- Remove-PSSession $Session
- Don’t forget to disconnect your session at the end
Notes:
This will normally take effect in 24 hours. If you want it to happen within an hour, then use this;
- Set-User -Identity NEWUSER @mycompany.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)
To make this change to all Office 365 users, use this
- (Get-Mailbox).identity | foreach {Set-User $_ -AuthenticationPolicy basic}
The Authentication Policy was created, and named ‘basic’ by support. It cannot be renamed. It was created with the following command;
- New-AuthenticationPolicy -Name “Basic”
To remove the policy per user
- Set-User -Identity helpdesk@doyonutilities.com -AuthenticationPolicy $null
Issues that remained were
Accounts that did not have email were still getting locked out
Some users (about 10% Android and 25% iPhone) had to delete and recreate their work email accounts. For me this was not a big deal, as the email was all on the server, so just an inconvenience.
But MS will allow you to disable basic auth with these commands.
For me, the next step is to configure the ADFS Claimrules to better control this, coming soon.
The industry standard is to block this at ADFS with a Claimrule, per MS tech support. And maybe limit by country.
References:
MS Exchange Blog : Disabling basic now available.
DirTeam by Sander: Pro tip using Claim rules
https://docs.microsoft.com/en-us/powershell/module/exchange/users-and-groups/set-mailuser?view=exchange-ps
https://docs.microsoft.com/en-us/powershell/module/exchange/users-and-groups/set-user?view=exchange-ps
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/procedures-for-client-access-rules
Other possible solutions for blocking access
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online?redirectSourcePath=%252fen-us%252farticle%252fdisable-basic-authentication-in-exchange-online-bba2059a-7242-41d0-bb3f-baaf7ec1abd7
https://thomasverwer.com/2017/11/24/securing-and-restricting-acces-to-office-365-with-custom-ad-fs-claimrules/
http://www.thatlazyadmin.com/configure-adfs-office-365/
Limiting Access to Office 365 Services Based on the Location of the Client
https://www.michev.info/Blog/Post/2186/limiting-access-to-office-365-by-country