How to Eliminate Exchange ActiveSync from Hybrid Exchange Environment

eliminate exchange activesync from hybrid environment

With Microsoft’s announcements around eliminating Basic Authentication, it is critical now more than ever to ensure all users are utilizing a modern authentication solution for access to company email. Follow this up with CISA’s guidance and this is definitely one you want to pay attention to. The guidance is to disable ALL basic authentications methods. You definitely should do that. However, I am focusing solely on Exchange ActiveSync as this was the most difficult one for me, because it affected the most people.

This is the process I used to remove Exchange ActiveSync (EAC) from a Hybrid Exchange Environment. This won’t be a Silver bullet or one size fits all solution – there is no such thing. However, this process worked for me, and should serve as a decent guideline on the process so you can make it work for you. This should also work for an Exchange Online only environment as well, as all the steps will take place in Azure. This MAY not help if you still have mailboxes On-Prem. You’ll need to see Microsoft’s guidance on that specific scenario.

This will be a LONG one. The process is pretty straightforward, but there is a lot that goes into it. I recommend reading the entire thing before you start anything, to make sure it makes sense. You also have to make sure it fits what you are trying to accomplish. This will certainly not cover every situation, so it is up to you to know your environment well enough to know if this will work for you. So read it all once before you begin to make sure it is a good fit.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Table of Contents

Preparation Phase

Planning Stage

You’ve probably heard the old adage about solving a complex problem within an hour right? Spend 55 minutes planning and 5 minutes executing. I feel that it is basically always true with work in the IT field. Another adage talks about how working in IT is like building an airplane that is already in flight. The idea here is that the work is never really complete, that the business doesn’t stop for IT, and that failing to plan is a plan to fail. (Sorry snuck another old adage in there…). Planning is critical with any IT project, and making changes that may disrupt employee access to email certainly carries some risk.

Decide What Your End State Looks Like

At this point, there are few if any reasons to use Exchange ActiveSync in general. As long as the employees in question have already been migrated to Exchange Online, then they will be able to switch to a Modern Authentication method with no issues. If they haven’t been migrated, then it would be wise to migrate as soon as possible. Use this change as an excuse to get them moving if you have had obstacles thus far.

In this planning process, you need to define what your end state will look like. If you don’t care if your employees use any mail app to access organizational email, then you should expect to have multiple different documents made for end user support. If you plan to have everyone using only the Outlook Mobile app, that will change what the end user documentation will look like. It also will change how you plan to enforce blocking user access. For this, I will shoot for maximum applicability, and assume users can use any app they wish for accessing email on mobile devices. It will be up to you and your organization to define what the end state will look like.

Gathering Data

The first thing to do in this phase is to start gathering data. Log into Azure Active Directory –> Go to Users –> and Sign In Logs. Add the “Client app” as a Filter criteria. The choose Exchange ActiveSync under the Legacy Authentication Clients section. Export these results to a CSV.

azure ad sign in logs for exchange activesync
Azure Active Directory Logins Page

Now that you have this list, the first thing to do is to start looking at the successful logins for Exchange ActiveSync. The successful ones are the ones that are being used actively, so these will be the first ones disrupted. These will be the identified users who need to make the switch first.

This is also an important time to examine how users are signing in. If they are using special apps or devices, you will want to know. This report should give you the details, so as you are blocking various Legacy Authentication methods, you should be able to see what people are using before you break anything.

Next, you need to identify your groups. Start with your pilot and test groups. Pick about 2-5% of the company for the pilot. Or run a pre-pilot with part of IT first. Then strive for about 10% of the company for the test. From there understand and plan how many you expect to have in each group, and attempt to parse those names into groups. Starting with the list of current Exchange ActiveSync users is a great way to see targeted results.

Organize Your Collected Data

Once you have all the data from your sign in logs, you need to take break the affected users into groups. The plan will be to move them in groups to the policy where Exchange ActiveSync is blocked. This way you can manage the number of calls your support team will get. This is an important piece to consider. This will have direct user impact, so managing the load on support is important to avoid disrupting business processes.

Here is an example of a way to calculate this process. If I have 60 users who are effected, and I think my support staff can handle 15 calls a week with this issue, then it will take me 4 weeks to complete the move.

Example: You must estimate this yourself or talk to your support team

If you don’t know how to figure this out, you will need to talk to the support staff. You can even do a trial run with a few folks on the support staff so they know the experience, and the process to fix it. Just let them know ahead of time. No one likes surprises.

Work with Support Staff for Best Transition

I also HIGHLY recommend working with support staff to create knowledge articles or self-service instructions on how to fix this issue. In most cases the user just needs to sign out and sign back into their email using a Modern Authentication method. Having instructions based on each device would be a great way to increase the number support staff can support because many users will handle their own issue. This can DRASTICALLY decrease the amount of time it takes to roll this out.

Building the Tools

At this point, the planning should be done. Now we will create the tools we will use to make these changes. These are the changes we need to make.

  • Script to Disable EAC for all New/Future employees
  • Create Conditional Access Policies to Block EAC for members of a security group
  • Create PowerShell script with CSV import to periodically add members to CA security group
  • Plan to Uncheck Box for EAC in Microsoft 365 Admin Center

For portions of this process, you will need both Microsoft Exchange Online PowerShell and Azure AD PowerShell. The Exchange Online settings can only be configured via PowerShell, and we will use the Azure AD PowerShell module to add members to our groups in bulk.

Use these instructions to install both modules ahead of time. (This is as of July 2022, so you may need newer versions if you are reading this later).

Disable EAC for all New/Future Employees

This is an easy way to stop the problem from getting any worse. Prevent new users from setting up old methods is the first step to solve this issue.

To do this, we will start by connecting to Exchange Online PowerShell. Once you are connected, you can run these commands to get the default mailbox plan where we will start to disable Exchange ActiveSync.

Get-MailboxPlan | Select Name,IsDefault | where {$_.IsDefault -eq $true}

This should give us the default Mailbox Plan for our tenant. This is where we will start, however, you will need to repeat these steps for the other plans if you use the other plans. Just remove the ‘where’ clause in that PowerShell command and you will see all plans. If you aren’t sure, just worry about the Default for now, and you will see if anyone else pops up in the Sign-Ins list after you are finished with the entire project.

To quickly apply disable Exchange ActiveSync for everyone on the plan, you can run this short two line script after connecting to Exchange Online PowerShell.

$plan = Get-MailboxPlan | Select Name,IsDefault | where {$_.IsDefault -eq $true}
Set-CASMailboxPlan $plan.name -ActiveSyncEnabled:$False

Once this has been run, this will ensure that any new users who are added will already have EAC disabled. This will mean that we no longer have to worry about new users adding to the number of people effected.

Create Conditional Access Policies for Roll-Out

To get started, login to Azure Active Directory. Navigate to Groups, and Create a new Group.

aad groups page

In the new group, you want to give it an appropriate name. Ours will be a security group named “CA policy – Block EAC”. Give it a description, and add any members you want to include for initial testing.

create aad security group

Now we will create the conditional access policy that will allow us to manage the roll out in a controlled manner for select individuals. This will be used for the Pilot, Testing, and Production phase of this plan.

aad conditional access page

From here, create a New Policy, and give it an appropriate name. We will configure the following settings:

  • Assignments: Users or Workload Identities –> Select Users and Groups –> “CA Policy – Block EAC”
conditional access assignments settings
  • Cloud apps or Actions: All Cloud apps
  • Conditions: Client Apps –> Configure = Yes, Check only Exchange ActiveSync clients
conditional access client apps section
  • Grant Access: Set to Block
Conditional access grant access settings

Finally you want to set this policy to ON, and save the policy. Now we will be ready yo start adding users who are part of the pilot and test groups once we get to that phase.

Create PowerShell Script to Add users to AAD Group

Fortunately for us, I’ve already written an article that talks about how to add user accounts to an Azure AD group in bulk. For greater detail, check out that article for the ins and outs of what we were trying to accomplish there. At a minimum, check it out so you can see what the CSV columns need to be.

# Courtesy of SeeSmitty - https://github.com/SeeSmitty/Powershell/blob/main/Add-UsersToAzureADGroup.ps1

#connect to azure ad
Connect-AzureAD

#import a CSv with the list of users to be added to the group
$list = Import-Csv "C:\Users\SeeSmitty\Downloads\UserList.csv"
#Name of the group being added
$group = "Group Name"


#get the object ID from Azure
$GroupObjectID = Get-AzureADGroup -SearchString $group | Select -Property ObjectID


#roll through the list to look up each user and add to the group. 
foreach ($y in $list){
    $y2 = Get-AzureADUser -ObjectId $y.userPrincipalName | Select -Property ObjectID
    try {
        Add-AzureADGroupMember -ObjectId $GroupObjectID.ObjectID -RefObjectId $y2.ObjectId -InformationAction SilentlyContinue
    }
    catch {
        Write-Host $y.userPrincipalName "is already a member"
    }
}

#Disconnect Azure AD
Disconnect-AzureAD

Otherwise, the script is located here. The plan will look like this:

  • Define the user accounts to be added in each phase of the schedule
  • Add user accounts via PowerShell group and CSV file to AAD group
  • Support User accounts in transition to non-EAC method
  • Repeat Process with next group

You will do this with the Pilot group, then the test group(s), then production group(s). This way you can add a specific number of members each time. This will allow you to control the number of people effected each round.

Plan to Uncheck the Exchange ActiveSync box in Microsoft 365 Admin Console

Pretty much what it says. Know where the box is, as this will be the last step once we get everyone moved into the group that blocks access to EAC. Navigate to https://admin.microsoft.com. From there, expand the list to see all options. Click on Settings –> Org Settings. Click on the Modern Authentication link. You should see Exchange ActiveSync and the other legacy authentication methods. When we are all finished, we will uncheck the box. DON’T DO THIS YET! Wait until the end.

microsoft admin center menu for legacy authentication methods
This is the goal! We can get there together

Testing Phase

Plan and Schedule Testing Process

Our testing phase is where we will test and perfect our process. Inevitably, there will be things we don’t plan for, or didn’t know about that will break when we change something. This is inevitable. So the goal is to minimize the amount of damage that can happen when something does break. That means out testing phase must be small enough that it is contained, yet large enough to be representative of the organization as a whole. Having multiple levels of testing can give us access to more user accounts while managing the risk in a controlled way. To do this, we will follow these steps below.

Define your Pilot Group

Choose a number that represents about 2-5% of the effected population. Pick something that makes sense to you. This will be our initial pilot group as we figure out the process and the ‘gotchas’ that we might miss initially. Include some of the support staff in this group so they can experience this first hand.

Notify your Pilot Group

For the testing phase it is important to notify the pilot group ahead of time. Otherwise, you will not get any feedback on the process. Feedback is the purpose of this pilot group, so it is a failure if they don’t know it is happening. This is also a great place to solicit feedback on self-service instructions that you have created, or to help shape those you plan to create.

Prepare a Way to Collect Feedback

Have a method for collecting feedback. It can be a simple email questionnaire or a survey with Microsoft Forms. Or it could be a specially crafted ticket in the ticketing system. Ask some basic questions about the experience, process, notification and self-service instructions. Also let them know ahead of time you will be asking for feedback, so they are more likely to provide it.

Schedule and Execute Your Pilot

Ensure to let the pilot group know what is happening, and when it will happen. This way it doesn’t get confused with other potential changes in the organization.

Gather Feedback and Prepare for Test Group

After the roll out to the pilot group, use your predefined method for collecting feedback, and get it collected. Use the information to prepare for the things you missed during the roll out to make the next group smoother and more efficient. Include the support staff in the feedback if you want to know how they felt about the experience.

Repeat Process for Test Group

Repeat the same process for the test group so you can get more feedback, and further refine the process. Depending on the size of your environment, you may find you need to repeat with increasingly larger test groups until you get a good sense of what to expect.

Gather Feedback and Prepare for Production

This is where you need to understand your production roll out process. Have your group size in mind and collect as much feedback as possible from your pilot and test group, as well as the support staff. By now, most kinks and snags should be ironed out of the process.


Production Roll-Out Phase

Final Checks Before Roll out

At this point we are ready to start with the masses. By now you should have about 10-15% (at least) of all user accounts in the group that applies the Conditional Access policy to block Exchange ActiveSync. This should ideally represent a smaller scale version of everyone in the organization. If not, look to identify anyone else not represented, and look to get them into the group before you roll out to everyone else. The goal is to identify as many potential issues as possible before they happen on a large scale. Once you feel confident in this, you can begin the production roll out to everyone else.

Ensure you have your groups defined

Like we mentioned before, you should break out the remaining user accounts into groups. This should be based on the number of users the support staff can handle at a time. Make sure you have these defined and ready to go. You can always scale up or down as you go, but you don’t want to apply it without having some plan in place.

Ensure you have end user documentation available

Having a clearly defined process along with documentation is key. Ideally you tested your documentation with the pilot and test groups. Refine that documentation, and make it as easy as possible for end users. If it is too long, too wordy, or too confusing, it will fail. Your support staff will be overwhelmed. If you have the time and resources available, you should explore creating videos with a voice over to help ease the transition.

If you are using the Outlook Mobile app for your users, you can try using pre-made videos like this one. Just make sure the process matches what you want users to do, as any changes will confuse users, and result in a greater number of support tickets.

Ensure you have a timeline defined

Having a timeline is key. It is much easier to work through conflicts or grievances if you have a clearly defined timeline. It helps ensure that things happen consistently, and that any push back you get has the support of a well planned and clearly thought out project. It also helps you get an idea of whether or not you will hit your timeline. If your first group results in more support requests than you anticipate, then you may need to change your timeline. If it results in less, you may be able to load up a more aggressive schedule. Either way, it will make sure you have a plan and can manage things in a controlled manner.

Ensure you have Executive/Stakeholder support

This is true about any project really, but it is really important to have someone with some authority to back you up. Any time you are changing things, and want to modify how people do things, you will face resistance. Having support from your boss or your executive will help ensure you have fewer road blocks, and that speed bumps are passed quickly and with minimal pain.

Time to Start

At this point, you are ready to begin. Planning is essential to everything being successful, and smooth. Acknowledge that you will probably have issues and unexpected things come up. Its part of the process. Testing is about finding as many as possible and being prepared ahead of time. Roll out is where you find out how well your testing phase went. It is important to stick to your process, your schedule, and your documentation. If you have a clearly defined process, and supporting documentation, it will make any arguments or push-backs easier to handle. Everyone is going through the same process, so no one is special.


Clean Up Phase

First steps after the roll out begins

Once the roll out begins, it is time to start figuring out what you missed. Look for service accounts or proprietary applications using Exchange ActiveSync. Look for anything else you may have missed because it isn’t a standard user account. Check the Azure sign-in logs mentioned above for more information about what you might be missing. You need to continue to monitor these logs until you no longer see any successful logins.

Once all users are moved to the group for Conditional Access, you can begin to make the big changes that will effect the organization as a whole.

Failed Sign-Ins from Azure Sign in logs

At some point, you will likely see failed logins for Exchange ActiveSync. Some of these may also come from users who have already moved to the Conditional Access policy. Most likely these are either old devices that were connected previously, or are from users who have been moved, but never followed instructions to actually make a change. Old devices can be blocked from the Exchange Admin Console in the mobile devices area.

Users who haven’t moved yet will need to be notified that access will be blocked without the move, and you should block the device from access. Just be sure you have the support of your stakeholders before these types of ultimatums to avoid any office politics…

Conditional Access Policy

The first thing we can do once there are no more sign ins in the Azure logs, is to change the Conditional Access policy to effect ‘All Users‘ instead of the group defined before. This ensures no one is missed, and all account types (Guest, Admin and service accounts) are covered under this policy.

Microsoft 365 Admin Center

Like we mentioned before, you can now go to the Microsoft 365 Admin Center and turn off this setting globally. This is the recommendation from Microsoft and CISA, and marks the “completion” of turning off Exchange ActiveSync. To make this change, you need to navigate to https://admin.microsoft.com. From there, expand the list to see all options. Click on Settings –> Org Settings. Click on the Modern Authentication link. Uncheck the box for Exchange ActiveSync and hit save. Just in case, be prepared for fall out. There should be none if you have followed these steps thus far, however, just be sure to be prepared.

Things you DON’T need/want to do

Here are some “gotcha’s” that you definitely don’t want to do. (Don’t ask me how I know).

  1. DON’T Uncheck the Exchange ActiveSync (Mobile) box on user accounts – In Microsoft 365 Admin Center, you can click on a user account, and see the apps allowed to use to connect to email. Unfortunately, this box doesn’t do what you may think. Unchecking this box essentially blocks ALL access from mobile devices. It doesn’t turn off Exchange ActiveSync for a user, it turns off all mobile access. Leave this box checked and follow the other steps to make sure it is off. Leaving this on with Exchange ActiveSync off will for Modern Authentication for mobile devices.
  2. DON’T Block access to Exchange ActiveSync in the Exchange ActiveSync Access Settings – This is essentially the same thing as unchecking the box above. If you change the setting from Allow/Quarantine to Block, this will again block all access to email from mobile devices. Unless that is the desired result, you don’t want to change this setting. If you want to lock it down more, make sure it is on Quarantine, just know that you will have to approve both new and existing devices. Don’t do make this change without having a plan.

Conclusion

So there it is. Like I said before, this isn’t all inclusive, and it isn’t intended to be. Every environment is different, so you should take this as a guide and make it fit for your environment. This is no small undertaking, so don’t approach this lightly. Take your time and plan it out. The more you plan upfront, the more you can make sure you are prepared for what happens. Take this guide and use it to plan your on change over. Also, everything here can also be applied to the other forms of legacy authentication. Follow the same process, or wrap those processes into this one. Just be sure that you plan those as well.

As always, hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →