Microsoft Legacy Authentication Deprecation

One Month and Counting!

Legacy authentication allows applications to connect to servers, services, and APIs (for example, a Microsoft 365 mailbox) using only a username and a password, which leaves such accounts susceptible to brute-force or to password spray attacks. Additionally, in applications where legacy authentication remains enabled, the enforcement of multifactor authentication (MFA) can be challenging.

Beginning in early 2021, Microsoft began to disable legacy authentication for existing tenants with no reported usage. Approximately a year ago they announced that as of October 1, 2022, they will begin turning off Legacy authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used.

This decision requires customers to move from applications that use Legacy authentication to those that use Modern authentication (OAuth 2.0 token-based authorization), which has a limited usable lifetime, is specific to the applications and resources for which they are issued and makes enabling and enforcing multifactor authentication (MFA) much simpler.

As of this writing, it strongly appears Microsoft is holding steady on the October 1, 2022 deadline, meaning if you have applications or users which will be impacted, you have very little time to react.

How Do You Know Which Application/Users Will be Impacted?

There are several ways to identify applications using legacy authentication, including viewing the authentication dialogue, and checking Message Center, Admin Center, and Azure Active Directory (AAD) sign-in reports. Fortunately, there are easier ways to check for applications and users using legacy authentications.

All Azure users can view a workbook to check the status of applications and users. Go to:
https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Workbooks

Search for “legacy” in the search box and find “Sign-Ins using Legacy Authentication.” This will display applications, legacy protocols, and users using legacy protocols. Note that you can tab between interactive and non-interactive sign-ins.

If you are licensed for AAD P2, you can get visibility if you have an existing policy, or you can create one to help migrate users at:
https://portal.azure.com/#view/Microsoft_AAD_IAM/ConditionalAccessBlade/~/Policies

If you have a policy, go to “Insights and reporting” on the left menu, followed by “Workbooks” on the left. If you do not, choose “+ New policy from templates (Preview)” from the top navigation and “Block Legacy Authentication” to create a policy. From the main menu, you can now access results as described above. Note that by default, your new policy will be in “Report Only” mode, and we recommend performing your discovery and remediation work in this mode prior to enabling the policy.

While this deprecation has been widely communicated for quite some time, SecureSky is still finding organizations and even some application developers lagging in their response. Time is of the essence to avoid user and potential business impact.

If you have any questions, please do not hesitate to reach out to us at info@securesky.com for assistance. We would be happy to assist you.