If the Office.com accounts are being constantly locked out, you can’t really tell by the ADFS logs if it is an email account that is being attacked, or if it is the general Office account.  In my case, it was email, and so with MS new rules, we were able to turn off Basic authentication.  This fixed 90% of our issues.

To do this from an admin workstation via powershell (Only at this time);

Notes:

This will normally take effect in 24 hours.  If you want it to happen within an hour, then use this;

  • Set-User -Identity NEWUSER @mycompany.com -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

To make this change to all Office 365 users, use this

  • (Get-Mailbox).identity | foreach {Set-User $_ -AuthenticationPolicy basic}

The Authentication Policy was created, and named ‘basic’ by support.  It cannot be renamed.  It was created with the following command;

  • New-AuthenticationPolicy -Name “Basic”

To remove the policy per user

  • Set-User -Identity helpdesk@doyonutilities.com -AuthenticationPolicy $null

Issues that remained were

Accounts that did not have email were still getting locked out

Some users (about 10% Android and 25% iPhone) had to delete and recreate their work email accounts.  For me this was not a big deal, as the email was all on the server, so just an inconvenience.

But MS will allow you to disable basic auth with these commands.

For me, the next step is to configure the ADFS Claimrules to better control this, coming soon.

The industry standard is to block this at ADFS with a Claimrule, per MS tech support.  And maybe limit by country.

References:

Main Updated

MS Exchange Blog : Disabling basic now available.

DirTeam by Sander: Pro tip using Claim rules

MS: Claim rules

MS: Client access rules

https://docs.microsoft.com/en-us/powershell/module/exchange/users-and-groups/set-mailuser?view=exchange-ps

https://docs.microsoft.com/en-us/powershell/module/exchange/users-and-groups/set-user?view=exchange-ps

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/procedures-for-client-access-rules

Other possible solutions for blocking access

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online?redirectSourcePath=%252fen-us%252farticle%252fdisable-basic-authentication-in-exchange-online-bba2059a-7242-41d0-bb3f-baaf7ec1abd7

 

Securing and restricting access to Office 365 with custom AD FS claimrules

Configure ADFS for Office 365

Limiting Access to Office 365 Services Based on the Location of the Client

Limiting access to Office 365 by country

 

 

 


Leave Your Comment

Your email address will not be published. Required fields are marked *

fifteen + twenty =