Block Legacy Authentication using Conditional access policy

  • Post category:Solutions
  • Reading time:5 mins read

As mentioned in the title, we will discuss legacy authentication, what it is, why we should block legacy authentication, and how to do it. Let’s begin!

What is legacy authentication?

Legacy authentication protocols are the basic protocols used by old office client applications. These are authentication methods commonly used by mail protocols such as IMAP, SMTP, POP3, Autodicover etc. These protocols are mainly used by old office365 client applications such as Outlook 2010.
These protocols do not support or enforce Multi-factor authentication attackers, therefore, prefer these entry points to attack your organization.

The below protocols are considered legacy authentication protocols.

  • Authenticated SMTP
  • Exchange Online PowerShell
  • Exchange Web Services
  • IMAP
  • MAPI over HTTP
  • OAB (Offline Address Book)
  • Outlook Anywhere
  • Outlook Service
  • POP3
  • Reporting Web Services
  • Other clients

Why do we need to block legacy authentication?

  • 99% of password spray attacks happen using this protocol
  • The legacy protocols do not support MFA (Multifactor Authentication)
  • Microsoft always recommends blocking these protocols in tenants and enable modern authentication.
  • Credential stuffing attacks used legacy authentication in 97 percent of cases

Azure provides the following methods for blocking legacy authentication:

  • Using Security default: it is a free feature of Azure that helps in protecting your organization from various attacks on identity. Microsoft manages your organization’s security settings by providing pre-configured policies in your tenant. You just have to enable it in your tenant, for new tenants, it is enabled by default.

Security default provides below features :

  1. Requires MFA for all administrators
  2. Requires MFA registration for all users and performs MFA whenever necessary.
  3. Block legacy authentication protocols.

Pre-requisites:

  1. An Azure subscription.
  2. A P1 license to create Conditional access policy
  3. Enable Modern authentication in exchange
  4. One User ID in Azure AD to assign the policy and test it.

Let’s create a conditional access policy to block Legacy authentication protocols

  • Login to azure portal https://portal.azure.com
  • From All services blade search and open Azure Active directory.
  • On Azure Active directory blade under Manage click on security and then conditional access policy.

Block Legacy Authentication

  • On Conditional access policy please click on +New Policy
  • On +New Policy, blade give a name to your policy
  • Go to Assignments to select users and Groups for the policy.
  • Once the user blade opens Under include select users and group another tab will open there in search box give the user name and click on select and done

Conditional access policy

Be careful in the above step do not select all users if the policy goes wrong due to human error the whole tenant will be locked out, so just select one user or always exclude the Global administrator.

  • Once User assignment is done, go to cloud apps or actions and after clicking on it application tab will open, under include select All cloud apps

 

Exchange Online PowerShell

 

  • Now go to conditions, under conditions select Client apps and in Client apps tab click on yes in configure tab and checkmark the legacy authentication clients i.e other clients and exchange active sync clients, click on done

Exchange Web Services

  • Now, go to Grant control, select Block, click on select and then turn policy ON and click on Create.

(Follow the numbering)

conditional access

  • After validation policy will get created and you can see that in the same blade.

Block Legacy Authentication

Now it’s time to test the policy we will first login to a browser using test user ID and password and we should be able to login because the browser uses Modern authentication protocol.

Let’s go-to the browser

  • Go to any browser and try accessing office365 with the same test user ID which you selected in CA policy as shown below:

Conditional access policy,

  • You can see we are able to log in as the browser uses a modern authentication protocol

 Exchange Online PowerShell

We will see Azure AD sign-in logs also to have an in-depth understanding.

Go to Azure Active Directory and under Monitoring click on sign-ins and search for your user sign in click on one log and a description of the sign-in will open in that go to conditional access TAB and you will see that policy NOT applied.

Exchange Web Services

Click on the policy name to check what conditions are not met and the policy detail tab will open you can see that the client app is Browser and as stated earlier the browser uses modern authentication protocols and therefore user didn’t get blocked.

conditional access

Congratulations!! You have successfully created and tested a policy for blocking legacy protocols.

Please delete the policy after testing.

Conclusion:

With the steps outlined in this blog post, you should be able to block legacy authentication and use conditional access policies. If you’re not sure what these terms mean or want more information about how they work together then check out our other blogs here on ThinkCloudly that highlight cloud computing services like Azure Active Directory. We also offer a wide range of online courses for those who feel like their skills could do with an update!

Leave a Reply