Block legacy authentication - Azure Active Directory - Microsoft Entra (2022)

  • Article
  • 8 minutes to read

To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. However, legacy authentication doesn't support multifactor authentication (MFA). MFA is in many environments a common requirement to address identity theft.

Note

Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication. Read more here

Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020 blog post New tools to block legacy authentication in your organization emphasizes why organizations should block legacy authentication and what other tools Microsoft provides to accomplish this task:

For MFA to be effective, you also need to block legacy authentication. This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI can't enforce MFA, making them preferred entry points for adversaries attacking your organization...

...The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:

(Video) The basics of modern authentication - Microsoft identity platform

  • More than 99 percent of password spray attacks use legacy authentication protocols
  • More than 97 percent of credential stuffing attacks use legacy authentication
  • Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled

If your environment is ready to block legacy authentication to improve your tenant's protection, you can accomplish this goal with Conditional Access. This article explains how you can configure Conditional Access policies that block legacy authentication for all workloads within your tenant.

While rolling out legacy authentication blocking protection, we recommend a phased approach, rather than disabling it for all users all at once. Customers may choose to first begin disabling basic authentication on a per-protocol basis, by applying Exchange Online authentication policies, then (optionally) also blocking legacy authentication via Conditional Access policies when ready.

Customers without licenses that include Conditional Access can make use of security defaults to block legacy authentication.

Prerequisites

This article assumes that you're familiar with the basic concepts of Azure AD Conditional Access.

Note

Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.

Scenario description

Azure AD supports the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication can't prompt users for second factor authentication or other authentication requirements needed to satisfy conditional access policies, directly. This authentication pattern includes basic authentication, a widely used industry-standard method for collecting user name and password information. Examples of applications that commonly or only use legacy authentication are:

(Video) How to check if Outlook is using Modern Authentication or Basic Authentication

  • Microsoft Office 2013 or older.
  • Apps using mail protocols like POP, IMAP, and SMTP AUTH.

For more information about modern authentication support in Office, see How modern authentication works for Office client apps.

Single factor authentication (for example, username and password) isn't enough these days. Passwords are bad as they're easy to guess and we (humans) are bad at choosing good passwords. Passwords are also vulnerable to various attacks, like phishing and password spray. One of the easiest things you can do to protect against password threats is to implement multifactor authentication (MFA). With MFA, even if an attacker gets in possession of a user's password, the password alone isn't sufficient to successfully authenticate and access the data.

How can you prevent apps using legacy authentication from accessing your tenant's resources? The recommendation is to just block them with a Conditional Access policy. If necessary, you allow only certain users and specific network locations to use apps that are based on legacy authentication.

Implementation

This section explains how to configure a Conditional Access policy to block legacy authentication.

Messaging protocols that support legacy authentication

The following messaging protocols support legacy authentication:

  • Authenticated SMTP - Used to send authenticated email messages.
  • Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
  • Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.
  • Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multifactor authentication.
  • Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.
  • IMAP4 - Used by IMAP email clients.
  • MAPI over HTTP (MAPI/HTTP) - Primary mailbox access protocol used by Outlook 2010 SP2 and later.
  • Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.
  • Outlook Anywhere (RPC over HTTP) - Legacy mailbox access protocol supported by all current Outlook versions.
  • POP3 - Used by POP email clients.
  • Reporting Web Services - Used to retrieve report data in Exchange Online.
  • Universal Outlook - Used by the Mail and Calendar app for Windows 10.
  • Other clients - Other protocols identified as utilizing legacy authentication.

For more information about these authentication protocols and services, see Sign-in activity reports in the Azure Active Directory portal.

Identify legacy authentication use

Before you can block legacy authentication in your directory, you need to first understand if your users have clients that use legacy authentication. Below, you'll find useful information to identify and triage where clients are using legacy authentication.

Indicators from Azure AD

  1. Navigate to the Azure portal > Azure Active Directory > Sign-in logs.
  2. Add the Client App column if it isn't shown by clicking on Columns > Client App.
  3. Add filters > Client App > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.
  4. If you've activated the new sign-in activity reports preview, repeat the above steps also on the User sign-ins (non-interactive) tab.

Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you more details. The Client App field under the Basic Info tab will indicate which legacy authentication protocol was used.

(Video) How to include or exclude users from Conditional Access policies - Azure Active Directory

These logs will indicate where users are using clients that are still depending on legacy authentication. For users that don't appear in these logs and are confirmed to not be using legacy authentication, implement a Conditional Access policy for these users only.

Additionally, to help triage legacy authentication within your tenant use the Sign-ins using legacy authentication workbook.

Indicators from client

To determine if a client is using legacy or modern authentication based on the dialog box presented at sign-in, see the article Deprecation of Basic authentication in Exchange Online.

Important considerations

Many clients that previously only supported legacy authentication now support modern authentication. Clients that support both legacy and modern authentication may require configuration update to move from legacy to modern authentication. If you see modern mobile, desktop client or browser for a client in the Azure AD logs, it's using modern authentication. If it has a specific client or protocol name, such as Exchange ActiveSync, it's using legacy authentication. The client types in Conditional Access, Azure AD Sign-in logs, and the legacy authentication workbook distinguish between modern and legacy authentication clients for you.

  • Clients that support modern authentication but aren't configured to use modern authentication should be updated or reconfigured to use modern authentication.
  • All clients that don't support modern authentication should be replaced.

Important

Exchange Active Sync with Certificate-based authentication(CBA)

When implementing Exchange Active Sync (EAS) with CBA, configure clients to use modern authentication. Clients not using modern authentication for EAS with CBA are not blocked with Deprecation of Basic authentication in Exchange Online. However, these clients are blocked by Conditional Access policies configured to block legacy authentication.

(Video) Use the Report Only feature to test Conditional Access policies - Azure Active Directory

For more Information on implementing support for CBA with Azure AD and modern authentication See: How to configure Azure AD certificate-based authentication (Preview). As another option, CBA performed at a federation server can be used with modern authentication.

If you're using Microsoft Intune, you might be able to change the authentication type using the email profile you push or deploy to your devices. If you're using iOS devices (iPhones and iPads), you should take a look at Add e-mail settings for iOS and iPadOS devices in Microsoft Intune.

Block legacy authentication

There are two ways to use Conditional Access policies to block legacy authentication.

  • Directly blocking legacy authentication
  • Indirectly blocking legacy authentication

Directly blocking legacy authentication

The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. When assigning users and applications to the policy, make sure to exclude users and service accounts that still need to sign in using legacy authentication. When choosing the cloud apps in which to apply this policy, select All cloud apps, targeted apps such as Office 365 (recommended) or at a minimum, Office 365 Exchange Online. Configure the client apps condition by selecting Exchange ActiveSync clients and Other clients. To block access for these client apps, configure the access controls to Block access.

Block legacy authentication - Azure Active Directory - Microsoft Entra (1)

Indirectly blocking legacy authentication

Even if your organization isn't ready to block legacy authentication across the entire organization, you should ensure that sign-ins using legacy authentication aren't bypassing policies that require grant controls such as requiring multifactor authentication or compliant/hybrid Azure AD joined devices. During authentication, legacy authentication clients don't support sending MFA, device compliance, or join state information to Azure AD. Therefore, apply policies with grant controls to all client applications so that legacy authentication based sign-ins that can’t satisfy the grant controls are blocked. With the general availability of the client apps condition in August 2020, newly created Conditional Access policies apply to all client apps by default.

Block legacy authentication - Azure Active Directory - Microsoft Entra (2)

What you should know

It can take up to 24 hours for the Conditional Access policy to go into effect.

(Video) Microsoft Azure AD Identity Protection Deep Dive

Blocking access using Other clients also blocks Exchange Online PowerShell and Dynamics 365 using basic auth.

Configuring a policy for Other clients blocks the entire organization from certain clients like SPConnect. This block happens because older clients authenticate in unexpected ways. The issue doesn't apply to major Office applications like the older Office clients.

You can select all available grant controls for the Other clients condition; however, the end-user experience is always the same - blocked access.

Next steps

  • Determine impact using Conditional Access report-only mode
  • If you aren't familiar with configuring Conditional Access policies yet, see require MFA for specific apps with Azure Active Directory Conditional Access for an example.
  • For more information about modern authentication support, see How modern authentication works for Office client apps
  • How to set up a multifunction device or application to send email using Microsoft 365

FAQs

Block legacy authentication - Azure Active Directory - Microsoft Entra? ›

Navigate to the Azure portal > Azure Active Directory > Sign-in logs. Add the Client App column if it isn't shown by clicking on Columns > Client App. Add filters > Client App > select all of the legacy authentication protocols.

What is legacy authentication Azure AD? ›

Legacy authentication refers to basic authentication, which was once a widely used industry-standard method for passing user name and password information through a client to an identity provider. Examples of applications that commonly or only use legacy authentication are: Microsoft Office 2013 or older.

How do I disable Azure AD multi-factor authentication? ›

Disable MFA in Microsoft Azure AD
  1. Open the Microsoft 365 Admin Center.
  2. In the left side navigation, click Azure Active Directory admin center.
  3. In the left side navigation, click Azure Active Directory.
  4. Click Properties.
  5. Click Manage Security Defaults.
  6. Select No to Disable Security defaults.

What is the difference between legacy authentication and modern authentication? ›

“Legacy authentication” is a term Microsoft sometimes uses to describe basic authentication when used with its cloud-based services. This is in contrast with the term “modern authentication” which provides more security and capabilities.

Does MFA work on legacy authentication? ›

Legacy authentication does not support multi-factor authentication (MFA). Even if you have an MFA policy enabled on your directory, a bad actor can authenticate using a legacy protocol and bypass MFA.

How do I stop Azure legacy authentication? ›

Navigate to the Azure portal > Azure Active Directory > Sign-in logs. Add the Client App column if it isn't shown by clicking on Columns > Client App. Add filters > Client App > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.

How do I stop basic authentication? ›

You block Basic authentication in Exchange Online by creating and assigning authentication policies to individual users. The policies define the client protocols where Basic authentication is blocked, and assigning the policy to one or more users blocks their Basic authentication requests for the specified protocols.

How do I disable modern authentication for a single user? ›

In the Microsoft 365 admin center, go to Settings > Org Settings > Modern Authentication. In the Modern authentication flyout that appears, click to enable or disable Turn on modern authentication for Outlook 2013 for Windows and later (recommended).

Can I use MFA without modern authentication? ›

In Office 365, modern authentication is required for MFA.

Which are the authentication mechanism options available in Azure AD? ›

Some authentication methods can be used as the primary factor when you sign in to an application or device, such as using a FIDO2 security key or a password.
...
How each authentication method works.
MethodPrimary authenticationSecondary authentication
Microsoft Authenticator appYesMFA and SSPR
FIDO2 security keyYesMFA
6 more rows
4 days ago

Is Kerberos a legacy? ›

protocols such as NTLMv2, Kerberos, or similar, that you've typically used on-premises, are legacy authentication.

Does Azure AD provides synced authentication? ›

With cloud authentication, you can choose from two options: Azure AD password hash synchronization. The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure.

Is IMAP a legacy protocol? ›

Within Microsoft, the considered basic/legacy protocols include: Authenticated SMTP – Used by POP and IMAP clients to send email messages.

What is legacy MFA? ›

Legacy (or basic) authentication is an old protocol to allow users to login to Microsoft applications/email. This protocol was replaced by modern authentication, which uses Multifactor Authentication (MFA) to provide a more secure experience. Legacy authentication will be disabled in Microsoft 365 on April 6, 2022.

Which of the following protocols are not supported by Azure AD? ›

No support for NTLM or Kerberos: Azure AD Authentication supports only modern authentication protocols like OAuth, SAML & OpenID Connect.

What is federated authentication Azure? ›

Federation with Azure AD or O365 enables users to authenticate using on-premises credentials and access all resources in cloud. As a result, it becomes important to have a highly available AD FS infrastructure to ensure access to resources both on-premises and in the cloud.

How do I check my authentication policy? ›

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other. Use the Get-AuthenticationPolicy cmdlet to view authentication policies in your organization.

Is ActiveSync going away? ›

We're removing the ability to use Basic authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.

What is 365 Shell Wcss client? ›

“Office 365 Shell WCSS-Client is the browser code that runs whenever a user navigates to (most) Office365 applications in the browser. The shell, also known as the suite header, is shared code that loads as part of almost all Office365 workloads, including SharePoint, OneDrive, Outlook, Yammer, and many more.

What is are the way ways to disable legacy protocols like POP IMAP etc? ›

Method #1: Disable services per mailbox

From the Microsoft 365 admin center, select a user account. Go to the “Mail” tab and select the option to Manage email apps. From here it is very easy to turn off any legacy protocols that you know are not (or should not be) in use, such as POP, IMAP, etc.

Does enabling modern authentication disable basic authentication? ›

All of these different endpoints support Microsoft's Modern Authentication except the older of the two PowerShell module (Exchange Online PowerShell v1). In 2021, Microsoft announced plans to disable all Basic Authentication as of October 1, 2022.

What is a legacy login? ›

Legacy (or basic) authentication is an old protocol to allow users to login to Microsoft applications/email. This protocol was replaced by modern authentication, which uses Multifactor Authentication (MFA) to provide a more secure experience. Legacy authentication will be disabled in Microsoft 365 on April 6, 2022.

What is legacy protocol? ›

Other legacy protocols are earlier generations of Wi-Fi security, which have been updated or replaced over time due to the changing security landscape needs. The original security standard was Wired Equivalent Privacy (WEP).

Is authenticated SMTP legacy? ›

Within Microsoft, the considered basic/legacy protocols include: Authenticated SMTP – Used by POP and IMAP clients to send email messages.

What is basic authentication in Azure? ›

Basic authentication is a mechanism for a browser or other HTTP user agent to provide credentials when making a request to the server. This mechanism is supported by all major browsers and all major web servers.

How do I know if I am a legacy contact? ›

A Legacy Contact is a person that has been appointed to be in charge of taking care of one's internet accounts after they pass away.

What is a legacy account? ›

Legacy Account means an account which was maintained under a Legacy Plan on behalf of a person who was a participant in such plan at any time prior to the Restatement Effective Date, and which was merged into the Plan at the Merger Effective Time.

What is a legacy password? ›

When a user requests a password reset, the legacy provider compares the user's credentials to the password policies that you set. For example, it might requires the user to answer a challenge-response question.

What network is legacy? ›

A legacy network is the generic name assigned to any old network, which is rarely used today and not part of the TCP/IP protocol suite. Legacy networks are mostly proprietary to individual vendors. With the advent of TCP/IP as a common networking platform in the mid-1970s , most legacy networks are no longer used.

What are legacy network devices? ›

A "legacy device" is an existing (and possibly outdated) hardware device, such as a computer or phone server. Many software engineers consider legacy systems to be potentially problematic.

Which of the following protocols are not supported by Azure AD? ›

No support for NTLM or Kerberos: Azure AD Authentication supports only modern authentication protocols like OAuth, SAML & OpenID Connect.

Is EWS a legacy? ›

Both steps are part of the sunset process to ease EWS out of Microsoft 365, with Microsoft noting that “EWS is a legacy API surface that has served us well, but no longer meets the security and manageability needs of modern app development.”

How do I disable modern authentication for a single user? ›

In the Microsoft 365 admin center, go to Settings > Org Settings > Modern Authentication. In the Modern authentication flyout that appears, click to enable or disable Turn on modern authentication for Outlook 2013 for Windows and later (recommended).

Does Azure AD provides synced authentication? ›

With cloud authentication, you can choose from two options: Azure AD password hash synchronization. The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure.

Videos

1. 26. Setup Passwordless sign in in Azure AD using Microsoft Authenticator App
(MSFT WebCast)
2. The Line Between AD and Azure AD!
(John Savill's Technical Training)
3. Azure AD Security Defaults LATAM
(SynergyAdvisors)
4. Microsoft 365 - Security Defaults en Azure AD
(Todo sobre Microsoft 365 | All about Microsoft 365)
5. S02E27 - Configure Conditional Access & App Protection Policies for iOS in Microsoft Intune - (I.T)
(Intune Training)
6. S01E08 - Configuring Conditional Access in Microsoft Intune - (I.T)
(Intune Training)

You might also like

Latest Posts

Article information

Author: Aron Pacocha

Last Updated: 08/21/2022

Views: 6157

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Aron Pacocha

Birthday: 1999-08-12

Address: 3808 Moen Corner, Gorczanyport, FL 67364-2074

Phone: +393457723392

Job: Retail Consultant

Hobby: Jewelry making, Cooking, Gaming, Reading, Juggling, Cabaret, Origami

Introduction: My name is Aron Pacocha, I am a happy, tasty, innocent, proud, talented, courageous, magnificent person who loves writing and wants to share my knowledge and understanding with you.