O365: Disable legacy authentication

Using legacy authentication may, in some circumstances, increase the risk of account compromise due to how the password is transmitted and stored.

O365: Disable legacy authentication
Office 365

Optimise your O365 environment:

Description

Using legacy authentication may, in some circumstances, increase the risk of account compromise due to how the password is transmitted and stored. Although most communication happens over TLS, when authentication occurs with a legacy protocol (e.g., IMAP4 or SMTP), the authentication is Basic and it is theoretically possible to occur over a non-TLS channel.

Legacy authentication does not support multi-factor authentication, allowing a potential attacker to leverage this type of authentication to attempt to compromise an account using only a username and password.

In addition, some programs that use legacy authentication may store their passwords in clear text or other insecure method. For this reason, it is also recommended that these protocols be disabled and to move to using protocols that support tokens-based authentication, where the token is scoped to the activity being performed.

Remediation

Disable legacy authentication using either Azure AD Conditional Access or Exchange Online Authentication Policies (for Exchange Online Only).

Additionally, disable legacy protocols in Office 365.

For more information see the sections on disabling IMAP, POP3, and SMTP authenticated submission.

Remediation Impact

Users that are currently relying on this authentication method, potentially as a means of circumventing a multi-factor authentication requirement, will need to use a client that supports a modern authentication experience.

Additional Information

How to: Block legacy authentication to Azure AD with conditional access

https://docs.microsoft.com/en-gb/azure/active-directory/conditional-access/block-legacy-authentication

Disable Basic authentication in Exchange Online

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online

New tools to block legacy authentication

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302

Azure AD Security Defaults can be used to block legacy authentication. Security Defaults are for use when not using Conditional Access.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

Thank you to Microsoft for the content