How to Disable Legacy Authentication in Microsoft 365

By /

How to Disable Legacy Authentication in Microsoft 365

Understanding Legacy Authentication

Legacy authentication refers to older protocols that predate modern security standards.
These include POP3, IMAP4, SMTP AUTH, MAPI, Exchange ActiveSync, and Exchange Web Services (EWS).

Legacy protocols send usernames and passwords with every request, and they don’t support Multi-Factor Authentication (MFA). This makes them a major target for brute-force and password-spray attacks.

Why Disabling Legacy Authentication Is Important

  1. Security risks: Attackers can easily exploit accounts that allow basic authentication because these protocols don’t enforce MFA or Conditional Access policies.
  2. Compliance: Disabling legacy protocols helps meet regulatory requirements such as ISO 27001, NIST, and GDPR.
  3. Performance and visibility: Modern authentication offers better logging, monitoring, and session control through Entra ID (formerly Azure AD).
  4. Microsoft’s roadmap: Microsoft has deprecated legacy authentication for Exchange Online and other services—organizations that don’t disable it proactively risk future service disruptions.

How to Turn Off Legacy Authentication in Microsoft 365

There are three main methods to disable legacy authentication depending on your licensing and administrative access.

Method 1: Using the Microsoft 365 Admin Center

This method is the most direct and user-friendly way to disable legacy protocols across your tenant.

Steps:

  1. Sign in to the Microsoft 365 Admin Center:
    Go to admin.microsoft.com and sign in using a Global Administrator or Exchange Administrator account.
  2. Navigate to Modern Authentication settings:
    • Go to Settings → Org settings → Modern authentication.
  3. View available legacy protocols:
    You’ll see options for protocols such as:
    • Exchange ActiveSync
    • IMAP
    • POP
    • MAPI
    • EWS (Exchange Web Services)
    • SMTP AUTH
  4. Uncheck unnecessary protocols:
    • Deselect any protocols you no longer want users to use.
    • For most organizations, it’s safe to disable IMAP, POP, and SMTP AUTH.
    • Keep MAPI or EWS only if older Outlook clients still require them.
  5. Save your changes:
    • Click Save to apply the new settings.
    • The change may take up to 24 hours to propagate across Microsoft 365 services.

Best Practice Tip:

If your organization uses mobile devices that rely on Exchange ActiveSync, ensure those devices are updated to use the Outlook mobile app before disabling ActiveSync.

Method 2: Using Conditional Access Policies (Entra ID P1/P2 Required)

If your organization uses Microsoft Entra ID Premium P1 or P2, you can enforce blocking through Conditional Access (CA).
This method provides more flexibility, allowing you to block legacy authentication while exempting service accounts or specific groups during transition periods.

Steps:

  1. Sign in to the Entra Admin Center:
    Go to entra.microsoft.com and log in as a Global Administrator or Conditional Access Administrator.
  2. Create a new Conditional Access policy:
    • Go to Entra ID → Security → Conditional Access → Policies.
    • Click + New policy.
  3. Name your policy:
    For example: “Block Legacy Authentication – Tenantwide”
  4. Assign the policy to users:
    • Under Assignments → Users, select All users.
    • To avoid locking out critical services, exclude break-glass admin accounts or service accounts.
  5. Target cloud apps:
    • Under Assignments → Cloud apps or actions, select All cloud apps.
  6. Configure client app conditions:
    • Under Conditions → Client apps, click Configure → Yes.
    • Check Exchange ActiveSync clients and Other clients.
    • This targets all legacy protocols that rely on basic authentication.
  7. Set the access control:
    • Under Access controls → Grant, choose Block access.
  8. Test the policy:
    • Set the policy mode to Report-only and observe user sign-in logs for 2–3 days.
    • Once verified, toggle Enable policy: On.

Verification:

  • Go to Entra ID → Monitoring → Sign-in logs.
  • Filter by Client App to identify sign-ins using legacy authentication.
  • This helps you confirm whether any remaining clients still rely on basic auth.

Advantages of Using Conditional Access:

  • Fine-grained control: apply the policy to specific users or groups.
  • Visibility: detailed reporting and simulation mode (Report-only).
  • Integration: works with sign-in risk policies, MFA, and device compliance.

Method 3: Using Exchange Online PowerShell

For advanced administrators or automation, PowerShell allows you to bulk disable legacy protocols for all mailboxes or specific users.

Steps:

  1. Connect to Exchange Online: Connect-ExchangeOnline -UserPrincipalName admin@fabrikam.com
  2. Disable legacy protocols for all users: Get-CASMailbox | Set-CASMailbox -ImapEnabled $false -PopEnabled $false -ActiveSyncEnabled $false -MAPIEnabled $false -SmtpClientAuthenticationDisabled $true
  3. Disable for a specific user (optional): Set-CASMailbox -Identity "user@fabrikam.com" -ImapEnabled $false -PopEnabled $false -ActiveSyncEnabled $false -MAPIEnabled $false -SmtpClientAuthenticationDisabled $true
  4. Confirm protocol status: Get-CASMailbox | Select Name, ImapEnabled, PopEnabled, ActiveSyncEnabled, MAPIEnabled, SmtpClientAuthenticationDisabled
  5. Log out of the session: Disconnect-ExchangeOnline -Confirm:$false

Notes:

  • The PowerShell method is ideal for bulk actions or when managing hybrid environments.
  • Always test with a small user group first to prevent accidental service disruption.

Monitoring and Validation

Once you’ve implemented one or more of these methods, monitor authentication behavior to ensure everything functions correctly.

1. Sign-in Logs (Microsoft Entra Admin Center)

  • Navigate to Entra ID → Monitoring & health → Sign-in logs.
  • Use the Client app filter to identify users still connecting through POP, IMAP, or ActiveSync.
  • Review for 1–2 weeks before fully enforcing the block.

2. Workbook: “Sign-ins using Legacy Authentication”

  • In Entra ID, go to Workbooks → Sign-ins using legacy authentication.
  • This provides visual insights and trends across your tenant.

3. Message Center Notifications

  • Microsoft regularly sends updates about basic auth deprecation.
  • Check Message Center in the Microsoft 365 Admin Center for any tenant-specific notices.

Best Practices

  • Phase the rollout: Disable legacy protocols gradually to reduce user disruption.
  • Educate users: Notify users that older email clients (like Outlook 2010 or Android Mail) may stop working.
  • Adopt Outlook Mobile: Replace legacy ActiveSync clients with Outlook for iOS/Android, which supports modern authentication.
  • Review service accounts: Replace legacy SMTP AUTH or app passwords with modern alternatives such as OAuth 2.0 or Graph API.
  • Back up settings: Export mailbox configuration before bulk applying PowerShell changes.

Summary

ObjectiveSolutionMethod
Verify domain and disable weak authenticationUse Microsoft 365 Admin CenterBasic setup
Block legacy clients with fine-grained controlUse Conditional AccessEnterprise-level control
Disable protocols via automationUse PowerShellScript-based configuration

Disabling legacy authentication helps secure your Microsoft 365 environment by enforcing modern authentication, which supports MFA, Conditional Access, and token-based authentication.

This simple but critical step significantly reduces your organization’s exposure to credential attacks and ensures alignment with Microsoft’s Zero Trust security model.

Reference:
Microsoft Learn – Deprecation of Basic Authentication in Exchange Online

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top