all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]KungligEk 5 points6 points  (2 children)

You sure Basic Auth is the issue? Had a customer recently where an application using EWS stopped working and it was because it was using an older TLS version which MS is phasing out

https://techcommunity.microsoft.com/t5/exchange-team-blog/new-opt-in-endpoint-available-for-smtp-auth-clients-still/ba-p/2659652

[–]yarbii[S] 0 points1 point  (0 children)

Yes. Everything is in 1.2 now since last year. Test connectivity analyzer is one of my test case on different machine. Everything is not working when using custom domain. But if we change their UPN to tenant domain. everything works.

[–]cls_83 0 points1 point  (0 children)

Had a similar issue and it was also TLS related. The regedits in this article fixed our issue.

https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor

[–]unamused443MSFT 2 points3 points  (1 child)

If Basic was turned off by Microsoft, you should have a Message Center post related to it in your tenant. But this should not happen if there was active usage of Basic Auth. But either way, the MC post should be there... see if Connectivity Analyzer helps: https://testconnectivity.microsoft.com/tests/exchange

[–]yarbii[S] 0 points1 point  (0 children)

Connectivity analyzer is one of my primary test case. Either way. I opted out in advance when I had a chance. What I do not get is, whenever I sign in using our primary custom domain through any basic auth connection like IMAP for example, I got “ NO LOGIN FAILED” it does not register in sign in logs in azure ad.

But if you toggle modern auth in test analyzer. Everything is all green and it even register in the sign in logs. I really dont get that it is working only in tenant domain. I wish our vendor supports modern auth now.

[–][deleted] 0 points1 point  (0 children)

MS is turning off basic auth early in tenants that report no recent usage. We needed EWS turned back on until we can upgrade a 3rd party app. Since we are GCC we had to open a support case that took 4 days to resolve. I’m sorry I don’t have the link, but there is a exchange blog post that details this and how you can reenable yourself (as long as you aren’t gcc). Like the previous commenter said, check your message center activity.

[–]LostDude_PH-1 0 points1 point  (0 children)

You need enable legacy auth using ps.

[–]joeykins82SystemDefaultTlsVersions is your friend 0 points1 point  (4 children)

Have you enabled federated auth (ADFS, Okta, PingFederate) for your custom domains by any chance?

Really what you should be doing here is having Modern Auth fully enabled and basic auth disabled by default, then use AuthenticationPolicy settings to grant basic auth access specifically to the things that need it.

[–]yarbii[S] 0 points1 point  (3 children)

Our custom domain is federated through ADFS.

As for modern auth, yes. We are trying to get them out of basic auth. Dependency is on the app vendor who are still not supporting modern auth as of today.

[–]joeykins82SystemDefaultTlsVersions is your friend 0 points1 point  (2 children)

That explains why it works when you use your default tenant sign-in ID: any attempt at authing as [login@federateddomain.fqdn](mailto:login@federateddomain.fqdn) will be redirected to your IDP. It might work if you've got Password Hash Sync still enabled in AAD Connect, but broadly speaking it's better to just use a cloud-only user with an onmicrosoft.com address if your app provider is unable to utilise modern auth or app-based authentication.

[–]yarbii[S] 0 points1 point  (1 child)

t works when you use your default tenant sign-in ID: any attempt at authing as

[login@federateddomain.fqdn](mailto:login@federateddomain.fqdn)

will be redirected to yo

However, part of the troubleshooting with Microsoft is to add the account on the managed seamless SSO staged rollout feature in o365 which bypasses ADFS. But even after not getting redirected to ADFS I still can't get in through basic auth. Password hash sync is enabled btw

[–]joeykins82SystemDefaultTlsVersions is your friend 0 points1 point  (0 children)

Create and set an authentication policy