Exchange Online - Block basic auth when MFA is enforce but user has no app passwords
Block basic auth when MFA is enforce but user has no app passwords:
Currently if you have an MFA enforced user (on the user level) - and the user has an app password - the basic auth call is blocked before it gets sent to the federated realm provider (ADFS, etc).
However, if the user is MFA enforced but has NO app passwords - the auth call is forwarded to the federated realm provider - which even if a token is granted the authentication fails (because basic auth cannot perform MFA).
In the second scenario, brute-force attempts can cause extranet lockouts and generate wasted cycles on both parties. Also - in some cases users are not granted rights to generate app passwords - so they always fall in this state.
Authentication policies in Exchange can still prevent this - but it would be great for the logic to be updated on this so that its apart of the "proof-up" experience end-users go through.