0

How To Block Legacy Authentication Office 365

Microsoft recently announced that on October 1, 2022 they are going to disable legacy authentication (basic auth) for all M365 tenants. With everything now moving to Modern Authentication and Microsoft Authentication Library (MSAL), previously Active Directory Authentication Library (ADAL) we should know how to disable those old authentication methods. Today, we’re actually going to cover the step by step methods to block legacy authentication Office 365.

Table Of Contents

 

What is Legacy Authentication And Why We Should Block It

I suppose before we go into detail on how to block it, we should probably address what it is. Legacy authentication is more or less self explanatory. By that I mean, it includes authentication methods that are superseded by todays modern authentication. In short, legacy authentication are authentication methods typically used by mail protocols such as IMAP, SMTP and POP3. Microsoft Office 2010 is an example client that uses legacy authentication.

 
The biggest take away here is that legacy authentication was highly active during a time where multi-factor authentication wasn’t really a thing. We’ve come a long way as far as security and auth methods go, but should still close those gaps because it can lead to open vulnerabilities in your environment.

 
To summarize, legacy authentication does not enforce multi-factor authentication (MFA) so it gives attackers a preferred attack vector to exploit. This is the biggest reason why we want to block legacy authentication. With that said, we can now get into the modern (and preferred) methods to blocking legacy authentication using conditional access policies.

 

How To See If Legacy Authentication Is Blocked in your Tenant

Now before you go through your testing it might be a good idea to check whether basic authentication is blocked in your tenant to begin with. Microsoft has already stated that if they don’t see any authentication requests using these older protocols, they’re going to disable it by default. In my tenant I wasn’t using so it was actually already turned off. To save you the headache, here are the steps to check if basic authentication is enabled in your tenant.

Office 365 Org Settings

 

Use Conditional Access To Block Legacy Authentication In Office 365

Now that we understand the why, let’s get into the how portion of this article. We’re going to assume you have permissions to create conditional access policies.

CA Policy Legacy Auth
 

  • We’ll name this policy, Common Policy – Block Legacy Authentication
  • Under Users and groups:
    • Under Include: We’ll select all users
    • Under Exclude: We’ll want to exclude our exclusions group – e.g. break glass/service accounts

Legacy Auth User Assignment

 

  • Cloud apps or actions:
    • Under Include: We’ll select all cloud apps
    • Under Exclude: We’ll want to leave this blank

Cloud App Assignment

 

  • Conditions -> Client apps:
    • Select “Yes” to configure policy
    • Unselect Browser and Mobile apps and desktop clients
    • Leave Exchange ActiveSync clients checked
    • Leave Other clients checked

Conditions in CA Policy

 

  • Grant:
    • Select Block Access

Block Access Azure AD Conditional Access blade

 

For the final step, set the policy to Report-only so you can have some insights before enabling the policy. This will give you a heads up as to who is still using legacy authentication and at least give them some kind of notice to stop. Otherwise, if you’re brave, turn it off and apply the scream test which is also just as effective as finding out who is still using it.

 

Block Legacy Authentication Exchange Online

In addition to conditional access, we should also consider disabling the legacy auth methods in Exchange Online itself. There are several ways we can about it and we’ll cover those methods as well. However, here is a quick overview.

  • Using an Authentication Policy
    • Apply it as the default organization policy
    • Apply it as a per user policy
  • Disable IMAP/POP/Mapi/SMTPAuth protocols per mailbox

 

Create an Authentication Policy to Disable Basic Authentication

Being able to create an authentication policy would be able to help you not only identify who is using the policy, but set a standard for your setup. The command to create an auth policy is New-AuthenticationPolicy. Let’s cover two scenarios for enabling and disabling the required protocols.

#Create a Block Legacy Authentication Policy
New-AuthenticationPolicy -Name "Block Legacy Authentication"


#Create an Allow All Legacy Authentication Policy
New-AuthenticationPolicy -Name "Allow All Legacy Authentication" -AllowBasicAuthRpc -AllowBasicAuthPop -AllowBasicAuthSmtp -AllowBasicAuthMapi -AllowBasicAuthImap -AllowBasicAuthAutodiscover -AllowBasicAuthPowershell -AllowBasicAuthActiveSync -AllowBasicAuthOfflineAddressBook -AllowBasicAuthReportingWebServices -AllowBasicAuthOutlookService -AllowBasicAuthWebServices 

#Set the authentication policy as the default authentication policy for your organization
Set-OrganizationConfig -DefaultAuthenticationPolicy 'Block Legacy Authentication'

#Set the authentication policy on a per user basis
Set-User jsnow -AuthenticationPolicy 'Block Legacy Authentication'

#Have the policy take effect within the next 30 minutes.  By default it can take up to 24 hours.
Set-User -Identity jsnow -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

 

Disable IMAP/POP/Mapi/SMTPAuth protocols per mailbox

Another alternative to the authentication method is to disable the protocols for each individual mailbox. This can be done using the Set-CASMailbox command for each of the mailboxes you’d want to disable.

PS C:\> Get-CASMailbox blightyear

Name       ActiveSyncEnabled OWAEnabled PopEnabled ImapEnabled MapiEnabled SmtpClientAuthenticationDisabled
----       ----------------- ---------- ---------- ----------- ----------- --------------------------------
blightyear True              True       True       True        True


PS C:\> Set-CASMailbox blightyear -ActiveSyncEnabled: $false -PopEnabled: $false -ImapEnabled: $false -MAPIEnabled: $false
PS C:\>
PS C:\> Get-CASMailbox blightyear

Name       ActiveSyncEnabled OWAEnabled PopEnabled ImapEnabled MapiEnabled SmtpClientAuthenticationDisabled
----       ----------------- ---------- ---------- ----------- ----------- --------------------------------
blightyear False             True       False      False       False

Set CASMailbox Block Legacy Auth

 

Conclusion

That’s it. Now we know how to block legacy authentication using conditional access policies in Azure Active Directory. For more posts on conditional access or Azure AD in general, be sure to check out our gallery of Azure Active Directory.

Paul

Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.