If your business is using Microsoft legacy authentication, your systems may be at risk of being compromised.
Why?
Legacy authentication protocols such as POP, MAPI, SMTP, and IMAP can't enforce multifactor authentication, making them targeted entry points for attacks and adversaries.
But, there's more.
In this article, we explain what legacy authentication is, why it's important to block legacy authentication, and how to protect your business from cyber threats.
Microsoft Legacy authentication refers to the basic auth protocol that allows users to sign in to an email or other Microsoft applications and cloud services.
It’s an authentication request made by either:
Legacy authentication protocols aren't a single protocol, but refer to anything that doesn't support or allow multi-factor authentication (MFA), or two-factor authentication (2FA).
This leaves apps and clients vulnerable to attacks and unauthorized access trials.
Many compromising sign-in attempts are generated from legacy authentication clients because of their weak security.
Protocols that support and allow MFA are modern authentication methods, such as ADAL and OAuth, used in Azure AD and Microsoft 365.
Modern authentication is a user identity management method that offers safer and more secure user authorization and authentication than legacy authorization.
It allows users to interactively authenticate their login with a web dialog of the ID provider (Azure AD) instead of the app (Outlook, Thunderbird) or OS (Windows).
This means the ID provider doesn't trust the apps and services to handle user credentials.
Only the ID provider, Azure AD, is trusted to deal with the credentials and is allowed to issue tokens.
With legacy authentication, you’re not protected, even if you use endpoint detection and response.
Let's see the comparison of modern authentication compared to legacy authentication:
|
Legacy (basic) Authentication |
Modern Authentication |
|
A network or client protocol can't support modern authentication because it's either incapable or has no configuration. |
A service or client that allows MFA/2FA and can use SAML, OpenID Connect, and/or OAuth 2.0 authentication. |
|
A client interacts with the application and not the user. This means it sends both the username (login) and password to the email or application instead of the user. |
A service or client that accepts redirects to an identity provider for authentication interactions and supports authentication tokens of the above protocols. |
|
The application, and not the user, uses the login and password information to get a login token. |
Legacy authentication methods are vulnerable to account breaches and expose security weaknesses that allow hackers backdoor access to organization data.
Unlike modern authentication, legacy authentication neither understands nor supports MFA.
These are the most simple modern protection strategies against account breaches, and any security program that lacks them is weak and vulnerable.
This makes legacy authentication susceptible to automated breaches and attacks such as keylogging, brute force, and password spray.
Furthermore, even if you've enabled an MFA policy on your directory, a legacy protocol can still allow bad actors to authenticate and bypass MFA.
The only sure way to protect your account from attackers and malicious authentication is to block legacy protocols.
Microsoft will disable legacy authentication for all Microsoft 365 clients on October 1, 2022.
You can use several methods to block legacy authentication in Microsoft 365 and other apps.
If your security defaults are enabled in Office 365 or client (either manually or you have a tenant created after October 2019), then legacy auth is already blocked at the tenant level.
You can also block legacy authentication directly in the admin center of your Azure Directory, Microsoft 365, or Exchange Online.
Use the following steps to block legacy (basic) authentication with the conditional access policy.
You can only block legacy authentication through conditional access (CA) if you have Microsoft licensing that gives you Azure AD Premium P1 or P2.
To check the license:
Once you confirm this, you can proceed and initiate a new policy.
Through the Azure AD premium license P1 or P2, you can create a conditional access policy.
This will force block legacy authentication for all users in your directory.
You can also select only a group of users to block.
But, it's recommended to disable legacy authentication for all the users and apps in your directory.
To do this:
Clicking on the new policy will require you to give your policy a name.
Under "New conditional access policy," you'll need to name it and give it assignments.
You also can select users and groups such as guests and external users, directory roles, or users and groups.
Make a choice depending on what you want on the policy.
On the Cloud apps or actions section, you'll specify the clients that will use the conditional access policy.
You can also select apps if you want to specify only the apps that use conditional access.
Once you select the apps, you'll need to set conditions of use.
Once you've specified the policy's clients:
Voila!
You've blocked legacy authentication with the conditional access policy.
This policy will show up in your conditional access policies list—it can take up to 24 hours to take effect.
Remember: If your directory has enabled security defaults, legacy authentication is already disabled in your Exchange Online. You'll need to block legacy authentication through PowerShell manually.
We hope you've learned why you should and how to disable legacy authentication and do it with conditional access.
This will help you secure your organization and data from attacks.
Always take steps to secure your organization from attacks and malicious authentication requests.
Finally, if you're not sure of your organization's current security position, download this free data security checklist to see your strengths and where you may need help.
Then, reach out to Integrity Technology Solutions to see how we can help you.