Phase out Legacy Authentication - Preface

In an Azure AD environment, legacy authentication is the Achilles heel of security.

While modern clients take into account conditional access policies and multifactor authentication, the use of legacy clients and associated protocols such as SMTP, IMAP or Exchange ActiveSync creates an often overlooked gap in this protection.

Since these protocols are not compatible with Conditional Access, they “bypass” the protection unless explicitly defined. This is not a security hole on Microsofts part, but a design decision and the impact on your own environment should therefore be well understood.

The approach in six steps

This blog series presents an action guide for turning off legacy authentication, with tips from the field.

  1. Preface
  2. Enable Modern Authentication
  3. Create prerequisites
  4. Gain insights
  5. The first 90%
  6. The next 9%
  7. Endgame
As with any change to a central system such as Azure Active Directory, the changes should be carefully planned and tested. Therefore, implement these tips at your own risk.

Requirements for your environment

The prerequisites listed here are necessary for the achievement of the objectives.

Azure Active Directory Premium P1

For a gradual deactivation of legacy authentication, Contitional Access is the method of choice. Of course, deactivation is also possible without Conditional Access, but it cannot be controlled as granularly. Conditional Access is included in the Azure Active Directory Premium P1 license and is therefore not available in every tenant by default.

Azure Subscription

An Azure subscription is required for long-term storage and more convenient evaluation of logon logs in a log analytics workspace.
Therefore, you should create a subscription now or get permissions on an existing subscription.

Let’s go

With this prior knowledge, we now go directly into implementation. Steps 1 to 3 have no direct impact on end users.

Step 2: Enable Modern Authentication