O365: Disable legacy authentication
Optimise your O365 environment:
Description
Using legacy authentication may, in some circumstances, increase the risk of account compromise due to how the password is transmitted and stored. Although most communication happens over TLS, when authentication occurs with a legacy protocol (e.g., IMAP4 or SMTP), the authentication is Basic and it is theoretically possible to occur over a non-TLS channel.
Legacy authentication does not support multi-factor authentication, allowing a potential attacker to leverage this type of authentication to attempt to compromise an account using only a username and password.
In addition, some programs that use legacy authentication may store their passwords in clear text or other insecure method. For this reason, it is also recommended that these protocols be disabled and to move to using protocols that support tokens-based authentication, where the token is scoped to the activity being performed.
Remediation
Disable legacy authentication using either Azure AD Conditional Access or Exchange Online Authentication Policies (for Exchange Online Only).
Additionally, disable legacy protocols in Office 365.
For more information see the sections on disabling IMAP, POP3, and SMTP authenticated submission.
Remediation Impact
Users that are currently relying on this authentication method, potentially as a means of circumventing a multi-factor authentication requirement, will need to use a client that supports a modern authentication experience.
Additional Information
How to: Block legacy authentication to Azure AD with conditional access
Disable Basic authentication in Exchange Online
New tools to block legacy authentication
Azure AD Security Defaults can be used to block legacy authentication. Security Defaults are for use when not using Conditional Access.
Thank you to Microsoft for the content