Sign Up

Enable Conditional Access policies to block legacy authentication

Microsoft 365 description: "Today, most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 don’t support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. Legacy authentication does not support multifactor authentication (MFA). Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols."

Microsoft 365 User Impact: "Users accessing apps that don't support modern authentication will no longer be able to access them with this policy enabled."

Legacy authentication is, essentially, older methods of authenticating to systems that lack modern security features like multi-factor authentication and token-based protocols, making them more susceptible to hackers. Transitioning to modern authentication methods enhances security by supporting advanced features and reducing these risks.

For example, one form of legacy authentication is basic authentication which sends the username and password in clear text. That means anyone and everyone in between the client and Microsoft 365 can see your username and password.

So, let's jump in and disable legacy authentication.

How to disable legacy authentication in Microsoft 365

You have a couple of ways to disable legacy authentication. First, enable MFA. Since legacy authentication isn't compatible with MFA, if you require MFA for all of your users then legacy authentication will automatically be disabled. The other option is creating a conditional access policy.

How to block legacy authentication using a conditional access policy

  1. Block legacy authentication using a conditional access policyOpen the Microsoft Entra Admin Center > Protection > Conditional access policy or click here.
  2. Click Create new policy.
  3. Set the name to Block Legacy Authentication.
  4. Set the users to be all users.
  5. Set the target resource to All Cloud apps.
  6. Set the conditions > Client apps to configure and uncheck Browser & Mobile apps and desktop clients.
  7. Set the controls under grant to Block.
  8. Enable the policy.
  9. Click Create.
Did you like the site?