All posts by jaapwesselius

Microsoft disables basic authentication in Office 365

I already wrote about Office 365 and Basic Authentication in two earlier blogposts:

The last update from Microsoft regarding basic authentication is published in June 2021:

https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-june-2021-update/ba-p/2454827

Microsoft has announced that it starts to disable basic authentication for customers that do not use basic authentication (for new Office 365 basic authentication is disabled by default).

I have disabled basic authentication is my tenant long ago and last week I got an email from Microsoft (MC274505, which can also be found in the admin portal) announcing basic authentication will be disabled in my tenant:

We’re making some changes to improve the security of your tenant. We announced in 2019 we would be retiring Basic Authentication for legacy protocols and in early 2021 we announced we would begin to retire Basic Authentication for protocols not being used in tenants.

30 days from today we’re going to turn off Basic Authentication for POP3, IMAP4, Remote PowerShell, Exchange Web Services, Offline Address Book, MAPI, RPC and Exchange ActiveSync protocol in your tenant, and will also disable SMTP AUTH completely.

Note: Based on our telemetry, no users in your tenant are currently using Basic Authentication with those protocols and so we expect there to be no impact to you.

If disabling basic authentication causes issues for your tenant, you can always re-enable basic authentication as outlined in the Microsoft link in the beginning of this blogpost. But please remember that basic authentication will be disabled permanently some day!

How to change MFA method for your Office 365 account

This might look like an easy blogpost (actually, it is) but every time I’m struggling with this, so I decided to write it down.

My default MFA authentication method was a text message (SMS) on my phone. This works fine, but it is not always easy to work with, especially not when using the native mail app on a mobile device. So, to change it, logon to OWA or the Microsoft Portal, click the initials in the upper right corner and click View account:

You can also navigate to https://myaccount.microsoft.com to get here directly. In the overview page click on Security Info to see the MFA methods available. To add a new method, click +Add Method.

In the pop-up window, select another method, for example the authenticator app and click Add. The first step is of course to download the authenticator app on your device, if it’s already installed click Next.

In the Setup your account pop-up box click next and a QR code will appear on your screen:

In the authenticatorapp, click the + icon in the upper right corner, select your account type and select Scan QR code. Approve the sign-in on your device, the security info will show Notification approved and you’re good to go.

The last step you have to do is to change the default sign-in method on the security info page by clicking Change next to Default sign-in method.

Check Server Core for Exchange 2019 Security Updates

When you want to check which updates are installed on an Exchange server you can navigate to Control Panel | Programs | View Installed Updates and you will see a list of installed updates, including the Exchange Security Updates.

When running Exchange 2019 on Windows 2019 Server Core there is no Control Panel and you can view the registry to check which updates are installed. Use the following command to view all installed Updates:

Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*| select-object displayname

Or more specifically for Exchange Server:

Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*| ?{$_.DisplayName -like "*Exchange Server*"} | Select DisplayName

This will show all software and updates for Exchange as shown in the following screenshot:

Get-DatabaseAvailabilityGroupNetwork Misconfigured

When installing a Database Availability Group in Exchange 2019 running on Windows 2019 Server Core, I got IP address configuration errors when creating the DAG. It did succeed, but when running the Get-DatabaseAvailabilityGroupNetwork command in EMS is get a ‘Misconfigured’ warning:

Or in plain text:

Get-DatabaseAvailabilityGroupNetwork
Identity ReplicationEnabled Subnets
-------- ------------------ -------
DAG01\MapiDagNetwork True {{10.38.96.0/24,Misconfigured}, {192.168.0.0/24,Misconfigured}}

This will be a DAG with two networks. One Mapi network (10.38.96.0/24) for clients, and one replication network (192.168.0.0/24).

The requirements for an additional replication network in a DAG are:

  • No default gateway configured
  • No DNS servers configured
  • IP address must not be registered in DNS

When using Windows 2019 Server Core, the first two can be configured using the SCONFIG utility, but the last one is not that simple (but in Windows 2019 Desktop Experience it is just a matter of deselection the “Register this connection’s address in DNS” option when configuring the network interface).

When using Windows Server Core, you can use the Set-DnsClient command to configure this setting, combined with the Get-NetAdapter command.

Execute the Get-NetAdapter command to retrieve the network interfaces. In the following screenshot “Ethernet” is the regular Mapi network interface, “Ethernet 2” is the replication network interface.

To configure the DNS registration option, execute the following command:

Get-NetAdapter -Name "Ethernet 2" | Set-DnsClient -RegisterThisConnectionsAddress $False

When you run the Get-DatabaseAvailabilityGroupNetwork command again, both DAG networks will show up correctly.

July 2021 Security Updates for Exchange

On July 13, 2021 Microsoft has released a number of Security Updates for Exchange. Security Updates are released for:

  • Exchange 2013 CU23
  • Exchange 2016 CU20 and CU21
  • Exchange 2019 CU9 and CU10

Some of the issues are marked ‘critical’ (Remote Code Execution) but no evidence have been found for any exploits in the wild, but it is strongly recommended to install these Security Updates as soon as possible.
The following CVE’s are addressed in these Security Updates:

Detailed information regarding the vulnerabilities can be found in the Security Update Guide.

As always, when installing the Security Update manually from a command prompt, use elevated privileges. If you do not, installation will succeed but under the hood things break! This is not an issue when installing using Windows Update.

Note. This Security Update has a dependency on the Schema update that came with Exchange 2016 CU21 and Exchange 2019 CU10. If you are running an older version of these CUs, please update the Schema first to the latest level. If you are still running Exchange 2013, and only Exchange 2013 at the latest level, you can install the Security Update, but you must run setup.exe /PrepareSchema from the V15\bin directory. The SU installation will install the latest schema files in the V15\bin directory which will be used by the setup application to make the schema changes. Failure to do so will result in an unprotected Exchange 2013 environment.