Back to GSO Recommendations

Disable Legacy Authentication: Older Sign-In Methods Bypassing Modern Protection

Why this risk matters

Legacy authentication refers to older sign-in protocols — Basic Authentication, SMTP AUTH, POP3, IMAP4, and similar — designed before modern authentication and MFA existed. These protocols transmit credentials as simple username and password pairs with no mechanism to support MFA, Conditional Access policies, or any of the modern sign-in protections that Microsoft 365 is built around.

When legacy authentication is enabled, an attacker who obtains credentials through phishing, credential stuffing, or a data breach can sign in directly using one of these older protocols and completely bypass MFA. It doesn't matter that the user has MFA registered — the legacy protocol simply doesn't ask for it.

Microsoft's own research consistently finds that legacy authentication is involved in the vast majority of password spray attacks. Blocking it is one of the highest-impact, lowest-risk security changes available for most tenants — and one of the first things Conditional Access security baselines recommend.

What happens if this is abused

  • Password spray and credential stuffing attacks succeed via SMTP AUTH, POP3, or IMAP even when MFA is enforced via Conditional Access for modern auth clients
  • Basic Auth connections from compromised credentials authenticate silently — no MFA prompt, no Conditional Access evaluation
  • Older email clients (Outlook 2013, Apple Mail on older iOS, generic IMAP clients) authenticate without any MFA challenge
  • Attackers use leaked credentials from third-party data breaches to access M365 mailboxes directly via IMAP or POP3
  • Defender for Identity and Entra ID risk signals based on modern auth patterns don't trigger for legacy protocol sign-ins

When this is expected or acceptable

Some environments have legitimate legacy authentication dependencies that must be handled before blocking:

  • Legacy printers, scanners, or multifunction devices that send email using SMTP AUTH and cannot be reconfigured to use modern auth or Microsoft Graph
  • Older line-of-business applications authenticating to Exchange Online via Basic Auth that are pending migration or decommission
  • Specific shared service accounts used by monitoring systems or ticketing tools not yet updated to OAuth
  • On-premises Exchange hybrid environments with specific connectors that may require legacy protocol support

Exceptions should be scoped as narrowly as possible — to specific service accounts and source IP ranges rather than broad user groups. A report-only policy will surface all legacy auth usage before you enforce.

Checks to perform before taking action

  • In Entra ID sign-in logs, filter by Client App for legacy auth clients: POP3, IMAP, Authenticated SMTP, Exchange ActiveSync (Basic Auth), Other Clients
  • Use the Entra ID workbook "Sign-ins using legacy authentication" for a tenant-wide view of all legacy auth activity
  • Identify all accounts currently using legacy protocols and confirm whether each has a legitimate, documented business need
  • Check for shared device accounts (printers, scanners) using SMTP AUTH for email relay and plan migration to a dedicated relay connector
  • Review third-party integrations (ticketing, monitoring, helpdesk software) for Basic Auth dependencies and get a migration timeline from vendors

Safe remediation steps

  1. Create a Conditional Access policy targeting all users with a Block grant control scoped to legacy authentication client apps
  2. Deploy in Report-only mode and review the sign-in impact workbook after 7–14 days
  3. Work with application owners to migrate any legitimate legacy auth users to modern authentication or Graph API
  4. For devices that cannot be migrated (printers, legacy scanners), configure SMTP relay through a dedicated connector or service rather than authenticated SMTP as a permanent fix
  5. Create named service account exclusions for any remaining legacy auth dependencies with a documented migration deadline
  6. Enforce the policy and monitor for blocked sign-in attempts
  7. Confirm no critical workflows were broken and address any residual legacy auth requirements

Supporting documentation

Microsoft: Block legacy authentication with Conditional Access

Microsoft: Deprecation of Basic authentication in Exchange Online

Microsoft: How to identify legacy authentication use in your environment

Related risks and follow-on checks

After enforcing this control, review these related areas:

  • Legacy Authentication Exposure — the GSO finding that surfaces accounts actively using legacy auth in your tenant; resolve these findings as part of the same workstream
  • CA MFA Bypass Paths — legacy auth is often the gap that makes an otherwise well-configured MFA policy ineffective
  • Users with Risky MFA Settings — MFA on a user account provides no protection if legacy auth is available as a bypass
  • Excessive Authentication Failures — legacy auth attacks don't always appear as failures; hunt for successful sign-ins via these protocols from suspicious IPs
TBD CTA