This policy will block all legacy authentication protocol due to the high risk that it carries if left alone. Since legacy authentication cannot enforce MFA, it is the preferred entry point for attackers.
There are several reasons why an IT admin would want to block legacy authentication:
- Security: Legacy authentication protocols, such as Basic Auth and POP3, are less secure than modern authentication protocols, such as OAuth 2.0 and SAML. Legacy authentication protocols are more susceptible to attacks such as password spraying and credential stuffing.
- Compliance: Many industries have regulations that require businesses to implement modern authentication protocols for certain types of data. For example, the financial services industry requires modern authentication for access to customer data.
- Reduced risk of data breaches: Data breaches are a major concern for businesses of all sizes. By blocking legacy authentication, IT admins can help to reduce the risk of a data breach occurring, even if an attacker is able to obtain a user’s credentials.
- Improved user experience: Modern authentication protocols are generally easier to use than legacy authentication protocols. For example, modern authentication protocols often support single sign-on (SSO), which allows users to log in to multiple applications with a single set of credentials.
Goal: Create a policy to block legacy authentication for organization to reduce attack surface.
What does blocking legacy authentication impact?
The following messaging protocols support legacy authentication:
- Authenticated SMTP – Used to send authenticated email messages.
- Autodiscover – Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
- Exchange ActiveSync (EAS) – Used to connect to mailboxes in Exchange Online.
- Exchange Online PowerShell – Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multifactor authentication.
- Exchange Web Services (EWS) – A programming interface that’s used by Outlook, Outlook for Mac, and third-party apps.
- IMAP4 – Used by IMAP email clients.
- MAPI over HTTP (MAPI/HTTP) – Primary mailbox access protocol used by Outlook 2010 SP2 and later.
- Offline Address Book (OAB) – A copy of address list collections that are downloaded and used by Outlook.
- Outlook Anywhere (RPC over HTTP) – Legacy mailbox access protocol supported by all current Outlook versions.
- POP3 – Used by POP email clients.
- Reporting Web Services – Used to retrieve report data in Exchange Online.
- Universal Outlook – Used by the Mail and Calendar app for Windows 10.
- Other clients -such as Microsoft Office 2013 or older.
How to find out if my organization is currently utilizing legacy authentication?
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Identity > Monitoring & health > Sign-in logs.
- Add the Client App column if it isn’t shown by clicking on Columns > Client App.
- Select Add filters > Client App > choose all of the legacy authentication protocols and select Apply.
If you’ve activated the new sign-in activity reports preview, repeat the above steps also on the User sign-ins (non-interactive) tab.
Filtering shows you sign-in attempts made by legacy authentication protocols. Clicking on each individual sign-in attempt shows you more details. The Client App field under the Basic Info tab indicates which legacy authentication protocol was used.
Block Legacy Authentication
To create the policy: Navigate to Intune portal > device > conditional access > policies > new policy.
Name: 012. [All Devices] [All Users] Block Legacy Authentication Assignments: Users: Include: All Users Exclude: Break glass group Target resources: Include: All Cloud apps Conditions: Client Apps: Legacy authentication clients - Exchange ActiveSync Client Other Clients Access control: Grant: Block Access
Source:
Steven's Event Log 