Legacy Authentication

security

Older authentication protocols (IMAP, POP3, SMTP AUTH, older Office clients) that cannot enforce multi-factor authentication.

What is Legacy Authentication?

Legacy authentication protocols were designed before MFA existed and have no mechanism to request or verify a second factor. Attackers specifically target these protocols to bypass MFA policies. Even with MFA required via Conditional Access, an attacker with a stolen password can authenticate through legacy protocols unless they are explicitly blocked.

In Microsoft 365

Azure AD Conditional Access can block legacy authentication using the "Client apps" condition. Microsoft recommends blocking legacy auth for all users (except documented service accounts). Sign-in logs show which users and apps still use legacy protocols.

Examples

1IMAP/POP3 email clients
2Old Office versions (Office 2010 and earlier)
3SMTP AUTH for sending mail
4ActiveSync without modern auth

Related TrueConfig Controls

These controls help implement and verify legacy authentication in your Microsoft 365 environment.

ID-02Block Legacy Authentication

Frequently Asked Questions

What is Legacy Authentication?▼

Older authentication protocols (IMAP, POP3, SMTP AUTH, older Office clients) that cannot enforce multi-factor authentication.

How does Legacy Authentication work in Microsoft 365?▼

What are examples of Legacy Authentication?▼

Examples of Legacy Authentication include: IMAP/POP3 email clients, Old Office versions (Office 2010 and earlier), SMTP AUTH for sending mail, ActiveSync without modern auth.

Which TrueConfig controls relate to Legacy Authentication?▼

TrueConfig controls related to Legacy Authentication include: ID-02. These controls help implement and verify legacy authentication in your environment.

Related Terms

Conditional Access

Policy-based access control that evaluates signals and enforces security requirements before granting access.

← Back to Glossary Browse Controls →