Basic Auth Authentication through token

Question

Hello,

I have disabled BasicAuth on my tenant. I also have enabled Security Defaults with MFA enforcement.
When I perform Get-OrganizationConfig | fl DefaultAuthenticationPolicy cmdlet and check the policy, all properties regarding basic auth are set to false.

I have acquired an access token for https://outlook.office365.com resource.
Now I am using this token to open a new Powershell session via old Powershell module.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.of fice365.com/powershell-liveid/?BasicAuthToOAuthConversion=true -Credential $credential -Authentication Basic -AllowRedirection

where $credential is my username along with the access token. It connects perfectly fine and I can invoke any cmdlet.

I cannot grasp why despite Basic Auth being disabled on my tenant, I still can establish a session with "-Authentication Basic". Does this access token approach act as a substitute for Basic Authentication in this case?

Thanks in advance!

Answer 1

The PowerShell module is simply "proxying" the token you provided (and obtained via Modern auth beforehand) and using it to create the session. You will not be prompted for credentials so effectively, you are authenticating via modern auth, just the way the token is presented is a bit different. You can look at the properties of the session, such as the URI used (which uses and endpoint that indicates what's happening: /Powershell-LiveId?BasicAuthToOAuthConversion=true) and you can even confirm that the Credentials used do not contain any password, but use the token instead.

If you have used AD FS with Exchange Online in the days before modern auth, something similar was done by Outlook and any other Exchange-releated client, with the Exchange Online server playing the role of a proxy.