Quick tip: Check if Exchange modern authentication is enabled

In my day to day business I often need to know if a tenant or an on-premise Exchange 2016 environment is enabled for modern authentication. Most of the time I need this information at a point in time, where I do not have access to the customers Exchange (Online) environment – and most of the time even the customer does not know if the tenant or the on-premise environment are running modern or not.

For Exchange Online this is often an issue, because older Tenants had the modern authentication turned off by default. Only tenants created at the end of 2017 or later have it enabled by default. But to check if this is still the case is always a good idea.

With this little script, you can check Exchange Online and every Exchange on-premise where you can reach the EWS endpoint if modern authentication (OAuth2) is enabled or not, without having any credentials!

It is important to understand for on-premise Exchange Server: This method will not tell you if everything is set up correctly for Hybrid modern authnetication to work – but it is a starting point 🙂

How does it work?

Ok, sounds like magic to check a setting without even have credentials? No – not really – we just use the fact, that trying to send a request for modern authentication to Exchange will be handled different depending if modern authentication is enabled or not.

The endpoint we are using is the EWS endpoint. For Office 365 this is always

https://outlook.office365.com/EWS/Exchange.asmx

If you are sending a simple POST request to this endpoint with some defined headers you can actually learn what configuration is set. The following headers must be sent to EWS

"Authorization"="Bearer"
"Content-Type"="text/xml"
"X-User-Identity"="<username>@<domain>
"X-EWS-TargetVersion"="2016_11_20"

You do not need an existing user to put in the X-User-Identity header. But the domain is important part. If you want to check the tenant contos.com you have to provide a username something@contoso.com

In my script i will just generate a GUID for the local part.

If you send these headers as a POST request to the O365 EWS endpoint, Exchange will tell us if it can deal with bearer authentication or not. Exchange should answer this request with a 401 unauthenticated response – but that is not the part we are interested. We have to look more closely into the response headers. If there is a header x-ms-diagnostics send back to our client, chances are high that modern auth is disabled. But to be 100% sure we have to evaluate the value in this header. If it tells us, that “flighting is not enabled” you know for sure, that this tenant/Exchange on-premise is not configured for handling modern auth!

Using invoke-webrequest in PowerShell

If you want to do this check in PowerShell you will mostly use invoke-webrequest. This is fine as long as you know how to receive the response headers. Because the invoke-webrequest will throw an error if Exchange requires authentication (401) we can not get directly to the header. So we have to wrap up the request in a try-catch-block:

#We want to use a random username - not trying to hit a real user.
$randomUser = [GUID]::NewGuid().ToString()
$Domain = '<enter your domain name here - eg. contoso.com>'

$headers = @{
    "Authorization"="Bearer"
    "Content-Type"="text/xml"
    "X-User-Identity"="$randomUser@$Domain"
    "X-EWS-TargetVersion"="2016_11_20"
}

$uri = "https://outlook.office365.com/EWS/Exchange.asmx"

$error.clear()

Try {
   $result = Invoke-WebRequest -Uri $URI -Headers $headers -Method Post

} Catch [System.Net.WebException]{

    #... with calling the Response in the System.Net.HttpWebResponse class.
    [System.Net.HttpWebResponse]$result = [System.Net.HttpWebResponse] $_.Exception.Response
    $httperrorcode  = $result.StatusCode.Value__

    #we are interessted in the 401 NotAuthenticated
    If ($httperrorcode = 401) {

        Write-Host "Server returned 401 - lets take a look into response headers" -ForegroundColor Yellow

        If ($result.Headers -contains "x-ms-diagnostics") {
            Write-Host "x-ms-diagnostics header found. Looking if flighting is enabled...."

            $diagnosticsHeaderContents = ($result.Headers["x-ms-diagnostics"]).Split(";")

            Foreach ($item in $diagnosticsHeaderContents) {
                If ($item -like "*flight*") {
                    Write-Host $item -ForegroundColor Yellow
                }
            }
        } Else {
            Write-Host "No x-ms-diagnostics header found. Looks like modern auth is active" -ForegroundColor Green
        }
    }
}

Finally

So next time you quickly want to know, if a Office 365 tenant has enabled modern authentication or not, you can check this setting without any credentials. The only thing you need to know is one of the configured domains that is used.

6 thoughts on “Quick tip: Check if Exchange modern authentication is enabled

  1. Ok this is a novice question I realize but need some help getting started. How do you send a “simple POST request” to Office 365?

    Like

    1. Hi dnash2017,

      there are a lot of ways to send request to an HTTP Endpoint. You can use CLI tools like CURL, applications like Postman or just take the powershell cmdlet invoke-webrequest. Using invoke-webrequest is described in the above article. The part that is sending the actual “simple” request is:

      $result = Invoke-WebRequest -Uri $URI -Headers $headers -Method Post

      Hope this helps.

      Regards,
      Christian

      Like

  2. OK lets assume the domain we want to check is contoso.com and we use the invoke-webrequest powershell. Can you confirm where “contoso.com” is placed within the script?

    Like

    1. Hi dnash2017,

      I had a little bug in my script – so the domain you want to check is part of the request header:

      “X-User-Identity”=”$randomUser@$Domain”

      In my script snippet I had no assignemnt for the variable $domain – I have alreade changed that – thanks for pointing me to this :D. The invoke-webrequest post request sends the haeders hashtable to the URI endpoint https://outlook.office365.com/EWS/Exchange.asmx.

      Hope this makes sense!

      Christian

      Like

  3. Yes that makes sense, thanks! I’m trying to find an example of a tenant that does not have modern auth enabled/enforced to see what message looks like. So far no luck. All the tenants I have checked have modern auth active. Do you know of a demo tenant or something like that without modern auth active?

    Like

    1. Just read this section in my article:

      If you send these headers as a POST request to the O365 EWS endpoint, Exchange will tell us if it can deal with bearer authentication or not. Exchange should answer this request with a 401 unauthenticated response – but that is not the part we are interested. We have to look more closely into the response headers. If there is a header x-ms-diagnostics send back to our client, chances are high that modern auth is disabled. But to be 100% sure we have to evaluate the value in this header. If it tells us, that “flighting is not enabled” you know for sure, that this tenant/Exchange on-premise is not configured for handling modern auth!

      also my script is taking care about this in the catch section.

      New tenants have enbaled modern auth by default. To check this you can turn modern auth off.


      Christian

      Like

Comments are closed.