ID-02: Blocking Legacy Authentication Protocols
Overview
Legacy authentication protocols (IMAP, POP3, SMTP AUTH, Exchange ActiveSync with Basic Auth) do not support Multi-Factor Authentication. Attackers exploit these protocols to bypass MFA and gain access to accounts using stolen credentials. Blocking legacy authentication is one of the most impactful security improvements you can make.
Why This Matters: Legacy authentication accounts for the majority of password spray and credential stuffing attacks. These protocols were designed decades ago before MFA existed, and they cannot be retrofitted to support modern authentication. As long as legacy auth is enabled, attackers have a backdoor around your MFA policies.
Impact Statistics:
- 99% of password spray attacks use legacy authentication
- Blocking legacy auth reduces compromised accounts by up to 67%
- Most organizations have less than 1% legitimate legacy auth usage
Prerequisites
Required Roles
- Global Administrator or Conditional Access Administrator - to create blocking policies
- Security Reader - to review sign-in logs
- Reports Reader - to analyze legacy auth usage
License Requirements
| Feature | License |
|---|---|
| Block legacy auth via Security Defaults | Free |
| Block legacy auth via Conditional Access | Microsoft Entra ID P1 |
| Sign-in log analysis (30 days) | Free |
| Sign-in log analysis (extended) | Microsoft Entra ID P1/P2 |
Pre-Checks
- Determine if Security Defaults is currently enabled or if you use Conditional Access
- Identify current legacy authentication usage in your tenant
- Inventory applications and devices that may require legacy auth
- Have a rollback plan ready
Time Estimate
| Task | Duration |
|---|---|
| Analyze current legacy auth usage | 1-2 hours |
| Identify and remediate legacy clients | 1-5 days (varies) |
| Create blocking policy (report-only) | 15 minutes |
| Monitor and adjust | 2-4 weeks |
| Enable enforcement | 15 minutes |
Total: 2-4 weeks for safe rollout (most time is monitoring)
Step-by-Step Instructions
Step 1: Analyze Current Legacy Authentication Usage
Before blocking anything, understand what is currently using legacy authentication.
Navigation: Entra admin center > Identity > Monitoring & health > Sign-in logs
-
Sign in to the Microsoft Entra admin center
-
Navigate to Identity > Monitoring & health > Sign-in logs
-
Add a filter: Client app
-
Select all legacy authentication options:
- Exchange ActiveSync (EAS)
- IMAP4
- MAPI Over HTTP
- Offline Address Book
- Other clients
- Outlook Anywhere (RPC over HTTP)
- POP3
- Reporting Web Services
- SMTP
-
Set the date range to Last 30 days
-
Review the results and note:
- Which users are using legacy auth
- Which applications/protocols are being used
- Which devices or locations
Export for Analysis:
- Click Download > Download JSON or Download CSV
- Open in Excel and create a pivot table by:
- User Principal Name
- Client App
- Application
Step 2: Identify Common Legacy Auth Scenarios
Review your sign-in logs for these common patterns:
Scenario 1: Older Outlook Versions
- Look for: MAPI Over HTTP, Outlook Anywhere
- Users with: Outlook 2010 or older
- Solution: Upgrade to Outlook 2016+ or Outlook for Microsoft 365
Scenario 2: Mobile Email Apps
- Look for: Exchange ActiveSync
- Users with: Built-in mail apps on iOS/Android
- Solution: Switch to Outlook Mobile app or enable modern auth for native apps
Scenario 3: Multifunction Printers/Scanners
- Look for: SMTP
- Devices: Printers sending scan-to-email
- Solution: Configure SMTP relay or use Microsoft Graph for sending
Scenario 4: Legacy Applications
- Look for: IMAP, POP3, SMTP AUTH
- Applications: CRM systems, ticketing systems, automation scripts
- Solution: Update to use OAuth 2.0 or Microsoft Graph API
Scenario 5: Shared Mailboxes
- Look for: Various legacy protocols
- Mailboxes: Support@, info@, shared mailboxes
- Solution: Use modern authentication or configure as shared mailbox properly
Step 3: Remediate Legacy Authentication Usage
Work with users and application owners to migrate away from legacy auth:
For Individual Users:
- Contact users identified in the sign-in logs
- Explain why they need to update their configuration
- Provide specific guidance based on their client:
Outlook Upgrade Path:
Current Version Action Required
------------------ ------------------------------------------
Outlook 2010 or older Upgrade to Microsoft 365 Apps or Outlook 2019
Outlook 2013 Enable Modern Auth or upgrade
Outlook 2016+ Ensure Modern Auth is enabled (default)
Mobile Email Migration:
- Install Microsoft Outlook from app store
- Sign in with work account
- Remove account from built-in Mail app
For Applications and Services:
- Contact the application vendor for OAuth 2.0 support
- Update connection strings to use modern authentication
- For scan-to-email, configure SMTP relay:
SMTP Relay Configuration (for printers/devices):
SMTP Server: [your-tenant].mail.protection.outlook.com
Port: 25
TLS: Required
Authentication: None (IP-based allow list)
Configure connector in Exchange admin center to allow relay from device IPs.
Step 4: Create Conditional Access Policy to Block Legacy Auth
Navigation: Entra admin center > Protection > Conditional Access > Policies
Option A: If Using Conditional Access (Recommended)
-
Click + Create new policy
-
Name:
Block Legacy Authentication -
Assignments - Users:
- Include: All users
- Exclude:
- Emergency access accounts
- Service accounts that require legacy auth (temporary)
-
Assignments - Target resources:
- Select All cloud apps
-
Conditions - Client apps:
- Set Configure to Yes
- Check the following under "Legacy authentication clients":
- Exchange ActiveSync clients
- Other clients
- Ensure "Modern authentication clients" options are unchecked
-
Grant:
- Select Block access
-
Enable policy:
- Select Report-only (DO NOT enable enforcement yet)
-
Click Create
Option B: If Using Security Defaults
If you have Security Defaults enabled, legacy authentication is already blocked. Verify:
- Navigate to Identity > Overview > Properties
- Click Manage security defaults
- Verify Security defaults is set to Enabled
Note: Security Defaults blocks legacy auth automatically but provides less granular control than Conditional Access.
Step 5: Monitor in Report-Only Mode
Run the policy in report-only mode for 2-4 weeks to identify any remaining legacy auth usage.
Navigation: Entra admin center > Protection > Conditional Access > Insights and reporting
- Navigate to Protection > Conditional Access > Insights and reporting
- Select your "Block Legacy Authentication" policy
- Review:
- Users who would be blocked
- Applications affected
- Sign-in locations
Check Sign-in Logs Daily:
- Go to Identity > Monitoring & health > Sign-in logs
- Filter by Conditional Access > Report-only: Failure
- Investigate each case and remediate
Create a Remediation Tracker:
| User/App | Protocol | Status | Remediation | Target Date |
|---|---|---|---|---|
| john@contoso.com | IMAP | Open | Migrate to Outlook | Jan 15 |
| Printer-Floor2 | SMTP | In Progress | Configure relay | Jan 10 |
| CRM System | SMTP AUTH | Complete | Updated to OAuth | Done |
Step 6: Enable Enforcement
Once legacy auth usage is eliminated or minimized:
- Navigate to Protection > Conditional Access > Policies
- Click on your Block Legacy Authentication policy
- Change Enable policy from Report-only to On
- Click Save
Important Timing:
- Enable during business hours when support is available
- Notify users in advance of the enforcement date
- Have the rollback procedure ready
Step 7: Handle Exceptions (If Required)
If you must allow legacy auth for specific scenarios temporarily:
- Create a security group:
Legacy Auth Exception - Temporary - Add the users/accounts that require legacy auth
- Exclude this group from your blocking policy
- Set a calendar reminder to review monthly
- Document the business justification for each exception
Exception Documentation Template:
User/Service: ________________________
Protocol Required: ___________________
Business Justification: ______________
Remediation Plan: ____________________
Target Removal Date: _________________
Approved By: _________________________
Verification Checklist
After enabling enforcement, verify:
- Conditional Access policy is set to "On" (not report-only)
- Policy includes all legacy authentication client types
- Emergency access accounts are excluded
- Sign-in logs show legacy auth attempts are being blocked
- No production impact reported by users or applications
- Exception list is documented and has remediation dates
- Monthly review calendar reminder is set for exceptions
- Help desk is prepared for legacy auth-related tickets
Troubleshooting
Users Report "Authentication Failed" or "Cannot Connect"
Problem: User cannot connect after policy enforcement
Diagnosis:
- Check sign-in logs for the user
- Look for failure reason: "Blocked by Conditional Access"
- Identify the client application being used
Solutions by Client Type:
| Client | Solution |
|---|---|
| Outlook 2010/2013 | Upgrade to Outlook 2016+ or Microsoft 365 |
| iPhone Mail app | Install and use Outlook for iOS |
| Android Mail app | Install and use Outlook for Android |
| macOS Mail | Configure with modern auth (macOS 10.14+) |
| Thunderbird | Configure OAuth 2.0 (Thunderbird 78+) |
Scan-to-Email Stopped Working
Problem: Multifunction printers can no longer send emails
Solution - Option 1: Direct Send (Recommended)
- Configure printer to send directly to Exchange Online
- Use recipient's email address as envelope sender
- Configure MX record lookup on printer
- No authentication required
Solution - Option 2: SMTP Relay
- Create a connector in Exchange admin center
- Allow relay from printer's IP address
- Configure printer with your MX endpoint
- Use port 25 with TLS
Solution - Option 3: SMTP Client Submission (if supported)
- Check if printer supports OAuth 2.0
- Configure with modern authentication
- Use smtp.office365.com:587
Application Integration Broken
Problem: Line-of-business application cannot send emails or access mailboxes
Solutions:
- Update the application: Contact vendor for OAuth 2.0 support
- Use Microsoft Graph: Replace SMTP/IMAP with Graph API calls
- Use a service account with exception: Temporary, document and plan migration
Cannot Identify Legacy Auth Source
Problem: Sign-in logs show legacy auth but unclear what device/app
Diagnosis Steps:
- Check the Device info column in sign-in logs
- Look at Location (IP address) to identify device
- Check User agent string for application details
- Filter by specific user and review all sign-in patterns
Emergency Access Account Blocked
Problem: Break-glass account cannot sign in
Immediate Fix:
- Verify the emergency account is in the exclusion group
- If not, add it immediately
- If Conditional Access is misconfigured, use Azure Portal fallback
Prevention:
- Always test exclusions before enabling enforcement
- Keep break-glass accounts in a dedicated group
- Regularly test break-glass access
Cost Considerations
Direct Costs
| Item | Cost |
|---|---|
| Conditional Access (P1 required) | ~$6/user/month |
| Security Defaults (if no CA needed) | Free |
Indirect Costs
| Item | Consideration |
|---|---|
| Outlook upgrades | May require Microsoft 365 Apps licenses |
| Mobile app migration | User training time (~15 min/user) |
| Printer reconfiguration | IT time to configure SMTP relay |
| Application updates | Vendor costs for OAuth-enabled versions |
| Help desk tickets | Expect 10-20% increase during rollout |
Cost Savings
| Benefit | Value |
|---|---|
| Reduced account compromise | Significant (prevents majority of password attacks) |
| Lower incident response costs | Fewer breaches to investigate |
| Reduced credential resets | Fewer forced password changes |
Related Controls
- ID-01: MFA Registration - Ensure MFA is registered for modern auth
- CA-01: Baseline MFA Policy - Require MFA after blocking legacy auth
- PA-03: Emergency Access - Ensure break-glass accounts work