ID-02: Blocking Legacy Authentication Protocols

Overview

Legacy authentication protocols (IMAP, POP3, SMTP AUTH, Exchange ActiveSync with Basic Auth) do not support Multi-Factor Authentication. Attackers exploit these protocols to bypass MFA and gain access to accounts using stolen credentials. Blocking legacy authentication is one of the most impactful security improvements you can make.

Why This Matters: Legacy authentication accounts for the majority of password spray and credential stuffing attacks. These protocols were designed decades ago before MFA existed, and they cannot be retrofitted to support modern authentication. As long as legacy auth is enabled, attackers have a backdoor around your MFA policies.

Impact Statistics:

  • 99% of password spray attacks use legacy authentication
  • Blocking legacy auth reduces compromised accounts by up to 67%
  • Most organizations have less than 1% legitimate legacy auth usage

Prerequisites

Required Roles

  • Global Administrator or Conditional Access Administrator - to create blocking policies
  • Security Reader - to review sign-in logs
  • Reports Reader - to analyze legacy auth usage

License Requirements

FeatureLicense
Block legacy auth via Security DefaultsFree
Block legacy auth via Conditional AccessMicrosoft Entra ID P1
Sign-in log analysis (30 days)Free
Sign-in log analysis (extended)Microsoft Entra ID P1/P2

Pre-Checks

  1. Determine if Security Defaults is currently enabled or if you use Conditional Access
  2. Identify current legacy authentication usage in your tenant
  3. Inventory applications and devices that may require legacy auth
  4. Have a rollback plan ready

Time Estimate

TaskDuration
Analyze current legacy auth usage1-2 hours
Identify and remediate legacy clients1-5 days (varies)
Create blocking policy (report-only)15 minutes
Monitor and adjust2-4 weeks
Enable enforcement15 minutes

Total: 2-4 weeks for safe rollout (most time is monitoring)


Step-by-Step Instructions

Step 1: Analyze Current Legacy Authentication Usage

Before blocking anything, understand what is currently using legacy authentication.

Navigation: Entra admin center > Identity > Monitoring & health > Sign-in logs

  1. Sign in to the Microsoft Entra admin center

  2. Navigate to Identity > Monitoring & health > Sign-in logs

  3. Add a filter: Client app

  4. Select all legacy authentication options:

    • Exchange ActiveSync (EAS)
    • IMAP4
    • MAPI Over HTTP
    • Offline Address Book
    • Other clients
    • Outlook Anywhere (RPC over HTTP)
    • POP3
    • Reporting Web Services
    • SMTP
  5. Set the date range to Last 30 days

  6. Review the results and note:

    • Which users are using legacy auth
    • Which applications/protocols are being used
    • Which devices or locations

Export for Analysis:

  1. Click Download > Download JSON or Download CSV
  2. Open in Excel and create a pivot table by:
    • User Principal Name
    • Client App
    • Application

Step 2: Identify Common Legacy Auth Scenarios

Review your sign-in logs for these common patterns:

Scenario 1: Older Outlook Versions

  • Look for: MAPI Over HTTP, Outlook Anywhere
  • Users with: Outlook 2010 or older
  • Solution: Upgrade to Outlook 2016+ or Outlook for Microsoft 365

Scenario 2: Mobile Email Apps

  • Look for: Exchange ActiveSync
  • Users with: Built-in mail apps on iOS/Android
  • Solution: Switch to Outlook Mobile app or enable modern auth for native apps

Scenario 3: Multifunction Printers/Scanners

  • Look for: SMTP
  • Devices: Printers sending scan-to-email
  • Solution: Configure SMTP relay or use Microsoft Graph for sending

Scenario 4: Legacy Applications

  • Look for: IMAP, POP3, SMTP AUTH
  • Applications: CRM systems, ticketing systems, automation scripts
  • Solution: Update to use OAuth 2.0 or Microsoft Graph API

Scenario 5: Shared Mailboxes

  • Look for: Various legacy protocols
  • Mailboxes: Support@, info@, shared mailboxes
  • Solution: Use modern authentication or configure as shared mailbox properly

Step 3: Remediate Legacy Authentication Usage

Work with users and application owners to migrate away from legacy auth:

For Individual Users:

  1. Contact users identified in the sign-in logs
  2. Explain why they need to update their configuration
  3. Provide specific guidance based on their client:

Outlook Upgrade Path:

Current Version          Action Required
------------------       ------------------------------------------
Outlook 2010 or older    Upgrade to Microsoft 365 Apps or Outlook 2019
Outlook 2013             Enable Modern Auth or upgrade
Outlook 2016+            Ensure Modern Auth is enabled (default)

Mobile Email Migration:

  1. Install Microsoft Outlook from app store
  2. Sign in with work account
  3. Remove account from built-in Mail app

For Applications and Services:

  1. Contact the application vendor for OAuth 2.0 support
  2. Update connection strings to use modern authentication
  3. For scan-to-email, configure SMTP relay:

SMTP Relay Configuration (for printers/devices):

SMTP Server: [your-tenant].mail.protection.outlook.com
Port: 25
TLS: Required
Authentication: None (IP-based allow list)

Configure connector in Exchange admin center to allow relay from device IPs.

Step 4: Create Conditional Access Policy to Block Legacy Auth

Navigation: Entra admin center > Protection > Conditional Access > Policies

Option A: If Using Conditional Access (Recommended)

  1. Click + Create new policy

  2. Name: Block Legacy Authentication

  3. Assignments - Users:

    • Include: All users
    • Exclude:
      • Emergency access accounts
      • Service accounts that require legacy auth (temporary)
  4. Assignments - Target resources:

    • Select All cloud apps
  5. Conditions - Client apps:

    • Set Configure to Yes
    • Check the following under "Legacy authentication clients":
      • Exchange ActiveSync clients
      • Other clients
    • Ensure "Modern authentication clients" options are unchecked
  6. Grant:

    • Select Block access
  7. Enable policy:

    • Select Report-only (DO NOT enable enforcement yet)
  8. Click Create

Option B: If Using Security Defaults

If you have Security Defaults enabled, legacy authentication is already blocked. Verify:

  1. Navigate to Identity > Overview > Properties
  2. Click Manage security defaults
  3. Verify Security defaults is set to Enabled

Note: Security Defaults blocks legacy auth automatically but provides less granular control than Conditional Access.

Step 5: Monitor in Report-Only Mode

Run the policy in report-only mode for 2-4 weeks to identify any remaining legacy auth usage.

Navigation: Entra admin center > Protection > Conditional Access > Insights and reporting

  1. Navigate to Protection > Conditional Access > Insights and reporting
  2. Select your "Block Legacy Authentication" policy
  3. Review:
    • Users who would be blocked
    • Applications affected
    • Sign-in locations

Check Sign-in Logs Daily:

  1. Go to Identity > Monitoring & health > Sign-in logs
  2. Filter by Conditional Access > Report-only: Failure
  3. Investigate each case and remediate

Create a Remediation Tracker:

User/AppProtocolStatusRemediationTarget Date
john@contoso.comIMAPOpenMigrate to OutlookJan 15
Printer-Floor2SMTPIn ProgressConfigure relayJan 10
CRM SystemSMTP AUTHCompleteUpdated to OAuthDone

Step 6: Enable Enforcement

Once legacy auth usage is eliminated or minimized:

  1. Navigate to Protection > Conditional Access > Policies
  2. Click on your Block Legacy Authentication policy
  3. Change Enable policy from Report-only to On
  4. Click Save

Important Timing:

  • Enable during business hours when support is available
  • Notify users in advance of the enforcement date
  • Have the rollback procedure ready

Step 7: Handle Exceptions (If Required)

If you must allow legacy auth for specific scenarios temporarily:

  1. Create a security group: Legacy Auth Exception - Temporary
  2. Add the users/accounts that require legacy auth
  3. Exclude this group from your blocking policy
  4. Set a calendar reminder to review monthly
  5. Document the business justification for each exception

Exception Documentation Template:

User/Service: ________________________
Protocol Required: ___________________
Business Justification: ______________
Remediation Plan: ____________________
Target Removal Date: _________________
Approved By: _________________________

Verification Checklist

After enabling enforcement, verify:

  • Conditional Access policy is set to "On" (not report-only)
  • Policy includes all legacy authentication client types
  • Emergency access accounts are excluded
  • Sign-in logs show legacy auth attempts are being blocked
  • No production impact reported by users or applications
  • Exception list is documented and has remediation dates
  • Monthly review calendar reminder is set for exceptions
  • Help desk is prepared for legacy auth-related tickets

Troubleshooting

Users Report "Authentication Failed" or "Cannot Connect"

Problem: User cannot connect after policy enforcement

Diagnosis:

  1. Check sign-in logs for the user
  2. Look for failure reason: "Blocked by Conditional Access"
  3. Identify the client application being used

Solutions by Client Type:

ClientSolution
Outlook 2010/2013Upgrade to Outlook 2016+ or Microsoft 365
iPhone Mail appInstall and use Outlook for iOS
Android Mail appInstall and use Outlook for Android
macOS MailConfigure with modern auth (macOS 10.14+)
ThunderbirdConfigure OAuth 2.0 (Thunderbird 78+)

Scan-to-Email Stopped Working

Problem: Multifunction printers can no longer send emails

Solution - Option 1: Direct Send (Recommended)

  1. Configure printer to send directly to Exchange Online
  2. Use recipient's email address as envelope sender
  3. Configure MX record lookup on printer
  4. No authentication required

Solution - Option 2: SMTP Relay

  1. Create a connector in Exchange admin center
  2. Allow relay from printer's IP address
  3. Configure printer with your MX endpoint
  4. Use port 25 with TLS

Solution - Option 3: SMTP Client Submission (if supported)

  1. Check if printer supports OAuth 2.0
  2. Configure with modern authentication
  3. Use smtp.office365.com:587

Application Integration Broken

Problem: Line-of-business application cannot send emails or access mailboxes

Solutions:

  1. Update the application: Contact vendor for OAuth 2.0 support
  2. Use Microsoft Graph: Replace SMTP/IMAP with Graph API calls
  3. Use a service account with exception: Temporary, document and plan migration

Cannot Identify Legacy Auth Source

Problem: Sign-in logs show legacy auth but unclear what device/app

Diagnosis Steps:

  1. Check the Device info column in sign-in logs
  2. Look at Location (IP address) to identify device
  3. Check User agent string for application details
  4. Filter by specific user and review all sign-in patterns

Emergency Access Account Blocked

Problem: Break-glass account cannot sign in

Immediate Fix:

  1. Verify the emergency account is in the exclusion group
  2. If not, add it immediately
  3. If Conditional Access is misconfigured, use Azure Portal fallback

Prevention:

  • Always test exclusions before enabling enforcement
  • Keep break-glass accounts in a dedicated group
  • Regularly test break-glass access

Cost Considerations

Direct Costs

ItemCost
Conditional Access (P1 required)~$6/user/month
Security Defaults (if no CA needed)Free

Indirect Costs

ItemConsideration
Outlook upgradesMay require Microsoft 365 Apps licenses
Mobile app migrationUser training time (~15 min/user)
Printer reconfigurationIT time to configure SMTP relay
Application updatesVendor costs for OAuth-enabled versions
Help desk ticketsExpect 10-20% increase during rollout

Cost Savings

BenefitValue
Reduced account compromiseSignificant (prevents majority of password attacks)
Lower incident response costsFewer breaches to investigate
Reduced credential resetsFewer forced password changes

Related Controls


Additional Resources