Today I ran in to an issue where I couldn’t connect to Exchange Online PowerShell. I could connect to other service without issue (Office 365, Azure AD….).
When trying to connect to Exchange online I was getting an warning about basic auth.
At first I thought this was to do with Microsoft deprecating basic authentication
Exchange Online deprecating Basic Authentication – Microsoft Lifecycle | Microsoft Docs
but after reading the document it says that this doesn’t affect Exchange ActiveSync (EAS), IMAP, POP, and Remote PowerShell.
I then read the Exchange Online v2 module prerequisites
In this there is a part that winrm needs to be enabled for basic authentication even though the module uses modern authentication.
This had been working for a long time without issue so I didn’t know what exactly had changed so I decided to check the winrm config
To check the winrm configuration run the below command
winrm get winrm/config/client/auth
In my case it was being set by a GPO. We had recently applied the Windows 10 2004 baseline policy to all our Windows 10 devices so I decided to check the setting in that GPO.
Security baseline (FINAL): Windows 10 and Windows Server, version 2004 – Microsoft Tech Community
There is a spreadsheet in the document folder that has all the policy settings. In the computer policy we can see that Allow basic authentication is set to disabled.
Since this is a security risk (there is no encryption with basic authentication) and only a few device really need to connect, We decided to create a new policy that enabled this for only admins that will need to use Exchange Online PowerShell and use security filtering to only apply to a security group with the required devices.
Once basic authentication was re-enabled I was able to connect without issue.
If you have this issue and apply either the CIS or the Windows 10 baseline policy this could be the cause.
