Why You Need To Block Microsoft Legacy Authentication


If your business is using Microsoft legacy authentication, your systems may be at risk of being compromised. 


Legacy authentication protocols such as POP, MAPI, SMTP, and IMAP can't enforce multifactor authentication, making them targeted entry points for attacks and adversaries. 

But, there's more.

In this article, we explain what legacy authentication is, why it's important to block legacy authentication, and how to protect your business from cyber threats.


What Is Microsoft Legacy Authentication?

Microsoft Legacy authentication refers to the basic auth protocol that allows users to sign in to an email or other Microsoft applications and cloud services. 

It’s an authentication request made by either:

  • Older Office clients that don't have modern authentication (such as Office 2010)
  • Microsoft apps or clients that support legacy mail protocols, such as SMTP/IMAP/POP3

Legacy authentication protocols aren't a single protocol, but refer to anything that doesn't support or allow multi-factor authentication (MFA), or two-factor authentication (2FA). 

This leaves apps and clients vulnerable to attacks and unauthorized access trials. 

Many compromising sign-in attempts are generated from legacy authentication clients because of their weak security.


Modern Authentication vs. Legacy Authentication

Protocols that support and allow MFA are modern authentication methods, such as ADAL and OAuth, used in Azure AD and Microsoft 365.

Modern authentication is a user identity management method that offers safer and more secure user authorization and authentication than legacy authorization.

It allows users to interactively authenticate their login with a web dialog of the ID provider (Azure AD) instead of the app (Outlook, Thunderbird) or OS (Windows). 

This means the ID provider doesn't trust the apps and services to handle user credentials. 

Only the ID provider, Azure AD, is trusted to deal with the credentials and is allowed to issue tokens.

With legacy authentication, you’re not protected, even if you use endpoint detection and response.

Let's see the comparison of modern authentication compared to legacy authentication:

Legacy (basic) Authentication

Modern Authentication

A network or client protocol can't support modern authentication because it's either incapable or has no configuration.

A service or client that allows MFA/2FA and can use SAML, OpenID Connect, and/or OAuth 2.0 authentication.

A client interacts with the application and not the user. This means it sends both the username (login) and password to the email or application instead of the user.

A service or client that accepts redirects to an identity provider for authentication interactions and supports authentication tokens of the above protocols.

The application, and not the user, uses the login and password information to get a login token.


Why Do I Need To Block Legacy Authentication?

Legacy authentication methods are vulnerable to account breaches and expose security weaknesses that allow hackers backdoor access to organization data.

Unlike modern authentication, legacy authentication neither understands nor supports MFA. 

These are the most simple modern protection strategies against account breaches, and any security program that lacks them is weak and vulnerable.

This makes legacy authentication susceptible to automated breaches and attacks such as keylogging, brute force, and password spray.

  • According to Microsoft, legacy authentication security stats have worrying trends. For example, Over 99% of password spray and over 97% of credential stuffing attacks arise from legacy authentication protocols.
  • Azure AD accounts that disabled legacy authentication encounter 67% fewer compromises or attacks than those with legacy authentication enabled.

Furthermore, even if you've enabled an MFA policy on your directory, a legacy protocol can still allow bad actors to authenticate and bypass MFA. 

The only sure way to protect your account from attackers and malicious authentication is to block legacy protocols. 

Microsoft will disable legacy authentication for all Microsoft 365 clients on October 1, 2022


How Do I Block Microsoft Legacy Authentication?

You can use several methods to block legacy authentication in Microsoft 365 and other apps. 

If your security defaults are enabled in Office 365 or client (either manually or you have a tenant created after October 2019), then legacy auth is already blocked at the tenant level. 

You can also block legacy authentication directly in the admin center of your Azure Directory, Microsoft 365, or Exchange Online.


How Do I Block Legacy Authentication With Conditional Access Policy?

Use the following steps to block legacy (basic) authentication with the conditional access policy.


Step 1: Check that you have an Azure AD Premium P1 license 

You can only block legacy authentication through conditional access (CA) if you have Microsoft licensing that gives you Azure AD Premium P1 or P2.

To check the license:

  1. Sign in to your Microsoft Azure portal.
  2. Navigate to Azure Active Directory.
  3. Go to Overview. 
  4. Check whether you have Azure AD Premium P1 or P2 license. 

Once you confirm this, you can proceed and initiate a new policy.


Step 2: New Conditional Access Policy

Through the Azure AD premium license P1 or P2, you can create a conditional access policy. 

This will force block legacy authentication for all users in your directory. 

You can also select only a group of users to block.

But, it's recommended to disable legacy authentication for all the users and apps in your directory. 

To do this:

  1. Navigate to Azure AD portal > then Azure Active Directory Home
  2. Browse to Security 
  3. Go to Conditional Access > Policies 
  4. Click New policy.

Clicking on the new policy will require you to give your policy a name.


Step 3: Name and Assignments 

Under "New conditional access policy," you'll need to name it and give it assignments. 

  1. Under Name, give it a name that shows the policy's goal, such as [BLOCK] Legacy authentication.
  2. Under assignments: Click on Users and groups > then choose Include > then select All users.

You also can select users and groups such as guests and external users, directory roles, or users and groups. 

Make a choice depending on what you want on the policy.


Step 4. Specify Cloud apps or actions

On the Cloud apps or actions section, you'll specify the clients that will use the conditional access policy. 

  1. Click the Cloud apps option
  2. Choose Include under cloud apps.
  3. Select All cloud apps.

You can also select apps if you want to specify only the apps that use conditional access.


Step 5. Set Conditions

Once you select the apps, you'll need to set conditions of use.

  1. Click Conditions > then select Client apps. 
  2. Under client apps, click on Yes (or toggle to Yes). 
  3. Under legacy authentication clients, select both Mobile clients and desktop clients > Exchange ActiveSync clients and Other clients.
  4. Then click Done. 


Step 6. Grant and Enable Policy

Once you've specified the policy's clients:

  1. Click on Grant. 
  2. Under control user access enforcement to block or grant access, select Block access. 
  3. Below it, to the bottom, click on Select.
  4. Now, below Grant, click the On switch (or Report Only). This will enable the policy. 
  5. Finally, choose "I understand that my account will be impacted by this policy. Proceed anyway."
  6. Then click Create.


You've blocked legacy authentication with the conditional access policy. 

This policy will show up in your conditional access policies list—it can take up to 24 hours to take effect.

Remember: If your directory has enabled security defaults, legacy authentication is already disabled in your Exchange Online. You'll need to block legacy authentication through PowerShell manually.



We hope you've learned why you should and how to disable legacy authentication and do it with conditional access. 

This will help you secure your organization and data from attacks. 

Always take steps to secure your organization from attacks and malicious authentication requests.

Finally, if you're not sure of your organization's current security position, download this free data security checklist to see your strengths and where you may need help. 

New Call-to-action

Then, reach out to Integrity Technology Solutions to see how we can help you.

Read On