Phase out Legacy Authentication - Preface
In an Azure AD environment, legacy authentication is the Achilles heel of security.
While modern clients take into account conditional access policies and multifactor authentication, the use of legacy clients and associated protocols such as SMTP, IMAP or Exchange ActiveSync creates an often overlooked gap in this protection.
Since these protocols are not compatible with Conditional Access, they “bypass” the protection unless explicitly defined. This is not a security hole on Microsofts part, but a design decision and the impact on your own environment should therefore be well understood.
The approach in six steps
This blog series presents an action guide for turning off legacy authentication, with tips from the field.
- Enable Modern Authentication
- Create prerequisites
- Gain insights
- The first 90%
- The next 9%
Requirements for your environment
The prerequisites listed here are necessary for the achievement of the objectives.
Azure Active Directory Premium P1
For a gradual deactivation of legacy authentication, Contitional Access is the method of choice. Of course, deactivation is also possible without Conditional Access, but it cannot be controlled as granularly. Conditional Access is included in the Azure Active Directory Premium P1 license and is therefore not available in every tenant by default.
An Azure subscription is required for long-term storage and more convenient evaluation of logon logs in a log analytics workspace.
Therefore, you should create a subscription now or get permissions on an existing subscription.
With this prior knowledge, we now go directly into implementation. Steps 1 to 3 have no direct impact on end users.
Step 2: Enable Modern Authentication