Microsoft has deprecated basic authentication access to Exchange Online APIs. Microsoft has switched to Modern Authentication, which is based on OAuth 2.0 to increase security. Users with existing Microsoft Online tenants can continue using basic authentication until Microsoft ends support in the second half of 2021; However, new tenants must use token-based authentication.
Token-based authentication also changes the attributes controlled in Practice Protect and Microsoft 365. Below are the main changes to take into account, as certain attributes will no longer be controlled or synced from Practice Protect:
Controlled in Practice Protect: (Will Overwrite)
- Display Name
- Location
- Immutable ID
- Primary Email/Username/UPN (it will be the primary)
Controlled in Microsoft 365: (Will Not Overwrite)
- Email Alias’s (Proxy Addresses)
- Microsoft 365 Licensing.
- HideFromAddressList
- Manager
- Addresses
- Other Contact Fields
Steps: Disable Entra ID DirSync
As Token-Based Authentication uses the Microsoft Graph API instead of the Entra ID DirSync module, you are required to disable DirSync (If enabled)
1. Using the Powershell tool, connect to Azure Msol Service with this command
“Connect-MsolService” then,
2. Run Set-MsolDirSyncEnabled -EnableDirSync $false
3. This will start the disable process. This can take up to 72 hours. Logins will be fine during this time, you just cannot create or modify users during this period.
4. Run the following command to check the status. (Get-MSOLCompanyInformation).DirectorySynchronizationStatus
You must wait until “PendingDisable” changes to “Disabled” This can take 24-72 hours.
5. Once Disabled you can run a FullSync – This will not enable DirSync and will use Microsoft Graph API to update users in Microsoft 365.
Steps: Register an Entra ID application
1. Log in to Microsoft Entra ID using an Admin Account.
2. On the left navigation menu, go to Applications > App registrations, then click New registration.
3. Enter a name for your app. “Practice Protect Entra ID”
4. Select Accounts in this organizational directory only (your_domain only – Single Tenant).
5. Click Register.
The overview page for your registered app appears.
6. The client secret value will be unavailable once you log out, so it’s critical to capture the value now.
7. Go to API permissions, then click Add a permission.
8. Click Microsoft Graph.
9. Click Application permissions.
Scroll down the permissions list and select the following permissions, then click Add permissions.
| Delegated | Application |
|---|---|
| Directory.AccessAsUser.All | Application.ReadWrite.All |
| Directory.ReadWrite.All | Application.ReadWrite.OwnedBy |
| Group.ReadWrite.All | Directory.ReadWrite.All |
| Organization.ReadWrite.All | Domain.ReadWrite.All |
| User.ManageIdentities.All | Group.Create |
| User.Read | Group.ReadWrite.All |
| User.Read.All | Organization.ReadWrite.All |
| User.ReadWrite | User.ManageIdentities.All |
| User.ReadWrite.All | User.ReadWrite.All |
Azure updates the permissions for your app; However, you still need to provide and grant admin consent manually.
10. Click Grant admin consent for <your company>.
11. Click Yes on the confirmation prompt.
Since you are already logged in as an administrator, a notification Successfully granted admin consent for the requested permissions. appears at the top of the page.
12. Returning to the left navigation menu, proceed to Roles & Admins > Roles & admins Now go to Roles and Administrators.
13. Search for the role of Global Administrator and Click on it.
14. Click on Add assignments.
15. Search for the App name from Step 3. Highlight it and Add. This will assign the App to the Global Admin role.
Note: This type is a ServicePrincipal, not a user. 
16. Go back to the Overview setting of the app. Copy the Application (client) ID, Directory ID (tenant), and the Object ID. Keep those details as they will be used for the Federation or the next steps.
17. Open PowerShell again and run the following commands to connect to AzureAD and create a secret key with a custom set of date variables.
Connect-AzureAD
$StartDate = Get-Date
$EndDate = $startDate.AddYears(100)
Then run the following command below to generate a secret key. Change the ObjectID based on what you copied in Step 16.
New-AzureADApplicationPasswordCredential -ObjectId 359489f0-ee65-448d-8fd2-4f02a969583b -StartDate $startDate -EndDate $endDate
Make sure to Copy the Value Output to your clipboard/notepad.
18. You should now have the details for the Secret Key, Application (client) ID, and Directory (tenant) ID.
Update Authentication Method (Token-Based Auth)
Practice Protect Microsoft 365 Email Integration/Federation uses token-based authentication nowadays. However, if your firm was set up with the old Basic Authentication, continue and follow the steps below:
1. Login to Practice Protect Admin, Web Apps > Office365 Federation app. On the Authentication Method, Select Token-Based Authentication.
2. Copy and paste the value/output that was created from the steps above to these fields (Directory ID, Client ID, Client Secret)
3. Go to Provisioning
20. Scroll down to Provisioning Script:
Update the Script to include the following:
if (isPerson()) {
//UsageLocation
destination.UsageLocation = “AU”;
destination.Mail = source.CanonicalizeName;
}
Save the Script.
21. Go to Settings – Users – Outbound Provisioning and Start Sync.