Microsoft first announced that they would disable legacy authentication in the Exchange Online Service 13th of October 2020. Due to the COVID-19 pandemic, they decided to postpone this to the second half of 2021
Let’s face it, it’s really about time to start blocking old authentication protocols that is almost used in every single Password Spray Attack and Credential Stuffing attack against the Office 365 plattform.
Allowing these basic authentication protocols will leave you organization wide-open for easy attacks that sooner or later will lead to compromised accounts.
That being said, many organizations are still relying on legacy authentication protocols mostly within the Exchange Online workload, using protocols like IMAP,MAPI Over HTTP,AutoDiscover,EWS.
Lets deep into it!
What is Legacy Authentication?
Legacy Authentication is basically older basic authentication protocols that does not support Multi-Factor authentication. Examples of protocols: MAP,POP,EWS,MAPI Over HTTP.
If you enforce basic MFA on all users, even if you implement Conditional Access without blocking and decommission legacy authentication it will be possible to bypass MFA and sign-in with basic username/password.
The complete list of all protocols that microsoft refers to as legacy authentication protocols:
- Authenticated SMTP – Used by POP and IMAP clients to send email messages.
- Autodiscover – Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
- Exchange ActiveSync (EAS) – Used to connect to mailboxes in Exchange Online.
- Exchange Online PowerShell – Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect.
- Exchange Web Services (EWS) – A programming interface that’s used by Outlook, Outlook for Mac, and third-party apps.
- IMAP4 – Used by IMAP email clients.
- MAPI over HTTP (MAPI/HTTP) – Used by Outlook 2010 and later.
- Offline Address Book (OAB) – A copy of address list collections that are downloaded and used by Outlook.
- Outlook Anywhere (RPC over HTTP) – Used by Outlook 2016 and earlier.
- Outlook Service – Used by the Mail and Calendar app for Windows 10.
- POP3 – Used by POP email clients.
- Reporting Web Services – Used to retrieve report data in Exchange Online.
- Other clients – Other protocols identified as utilizing legacy authentication.
Make sure to enable Modern Authentication for Exchange Online
In all Office 365 tenants created before 2017-08-01, modern authentication is disabled by default. Therefore,it’s important that we make sure that its enabled in your Office 365 tenant before you start to decommission legacy authentication.
- Connect to Exchange Online through PowerShell
- Check the configuration through the following command
Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
- If OAuth2ClientProfileEnabled returns as False, you need to enable Modern Authentication through the following command
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Let’s review and analyze how much we are using Legacy authentication in our tenant!
To gain insights in how many end-users and systems that is still relying on legacy authentication, we will export some Azure-AD sign-in logs!
- Sign in to the Azure portal
- Open Azure Active Directory
- Go to Sign-ins
- Go to Date, and choose “last month”
- Add filters -> Client app
- Add all protocols under “Legacy Authentication Clients”
7. You should now see all sign-ins that have been using legacy authentication against all services within Office 365 the last month.
8. You can now download the .CSV report for further investigation.
Please be aware that a end-users session can last more than 30 days, and therefore is no guarantee that this data is showing all end-users who is relying on legacy authentication
Examples of Legacy Authentication Azure-AD Sign-in logs
Here is a couple of typical sign-in logs that I see often in our customers Office 365 environments and how to handle them
How to block Legacy Authentication through Conditional Access
To block legacy authentication in a controlled way, we will use Conditional Access to achieve this.
There are several other ways to disable legacy protocols, this is definitely the best way but it also requires you to have licenses for the Conditional Access functionality
- Create a security group, either in-cloud or on-prem synced through Azure AD Connect. In this case we will name the group to O365_Disable_Legacy_Authentication
- Sign-in to portal.azure.com and open the Azure Conditional Access blade
- Create a Conditional Access Policy with the following settings:
- Name: Block Access – Legacy Authentication/Unsupported Clients
- Users and groups
- Include: O365_Disable_Legacy_Authentication
- Exclude: Break the glass account
- Cloud Apps or Actions
- All Cloud Apps
- Client Apps
- Exchange ActiveSync clients
- Other clients
- Client Apps
- Access Control
- Block Access
- Block Access
This policy will make it easier to slow and steady start to block legacy authentication for batches of end-users. In some environments, you can block this for all users after investigating in the use of legacy authentication, but also in some cases you will need to do this step-by-step to make sure that the organization will not have too many users/systems and integrations with issues.