Exchange Online Modern Authentication

The procedure describes steps to enable basic authentication for Exchange Online service accounts which is required for discovery and protection of mailboxes.


By default both basic and modern authentication are enabled. This is applicable when basic authentication is disabled.


For the Service Accounts to work in a modern authentication enabled environment, you must run the following commands.

  1. Open Windows PowerShell and create a remote PowerShell session to Office 365 with Exchange.

    $LiveCred = Get-Credential

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic -AllowRedirection

    Import-PSSession $Session

    Connect-MsolService –Credential $LiveCred

  2. Create the authentication policy.

    New-AuthenticationPolicy BasicAllowedOnlyForServiceAccountEWSandPS -AllowBasicAuthPowershell -AllowBasicAuthWebServices

  3. Assign the newly created authentication policy to the Mailbox Backup Service Account.

    Set-user -Identity CVServiceAccount -AuthenticationPolicy "BasicAllowedOnlyForServiceAccountEWSandPS"

You must enable multi-factor authentication (MFA) for the Exchange Online Service Account. You must provide the service account email address and the App password, which must be created so that the App can connect to Office 365.For more information, see Set up multi-factor authentication in the Office 365 admin center and Create an app password for Office 365.