In this article, I will explain how to identify users using Basic Authentication Microsoft 365 apps in your organization. What is Basic Authentication and why do we need to disable basic authentication? More details about Azure AD authentication is explained in the post.
Identify Clients Using Basic Authentication ( O365 )
Basic Authentication based on where credentials are the base64 encoding of id and password joined by a single colon: is similar like a username and password is provided every time for a request made by the client, that means the client will pass the user name and password with every request which makes easier for attackers to get the user’s credential and it is pron to Password spray attack because it uses a simple HTTP login method to get authenticated.
This is how the login looks like, very familiar right?
How to Identify users using Basic Authentication Against Microsoft 365 services! yes, this is something interesting to check who and all are connecting to Microsoft 365 resource using basic authentication.
How to Identify Application using Basic authentication using Azure Sign Logs
Let’s use Azure ad sign Logs, what azure sign logs yes you heard it correct, you can use Azure ad sign-in Report to understand basic auth usage in your tenant. Let me explain this is steps.
Step 1: Sign in to the Azure AD portal, you can use the new portal https://aad.portal.azure.com, scroll down and you can see Sign-ins under Monitor
Step 2: In the sign-in page, you can see Add filters option on the right page > Client app
Step 3: Once the Client app is selected it will show none selected > tap on that this will provide a drop-down with the list of client apps and segregated as Modern Authentication Clients and Legacy authentication Clients. Select all the applications under legacy authentication clients.
You can select on one of the records to see which Client app is being user in my example Mapi Over HTTP
You can see all the Client apps using basic authentication > Tap on Download to so you will get the report handy. You should make sure you had selected the client app in the columns to display the app details in the report.
Download Azure Signing Logs to Excel in JSON or CSV format
To download the sign-ins to JSON or CSV format, click on the Download button at the top of the Sign-ins page. If you filter the sign-ins by certain client apps, your download will be based on the filter selections you’ve made.
We recommend downloading to JSON because this format includes all the sign-in details, including user agent. The CSV format will only show the top-level information in each row of the sign-in logs.
Using the Microsoft Graph API to get sign-ins
If you need to download more than 250,000 sign-in records, you can do so using the audit logs API in Microsoft Graph. you can use the below queries to collect the logs from Microsoft Graph.
- GET tenant user activities GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits
- GET tenant user sign-ins GET https://graph.microsoft.com/v1.0/auditLogs/signIns