This topic seems talked to death nowadays. Almost everyone has come across the strong recommendation to disable legacy authentication in their Microsoft 365/Azure AD tenancy. If you haven’t done this yet then the clock is ticking down to the day Microsoft disable the functionality automatically – October 2020 for new tenants at the time of writing. 2021 for existing.
Something that I find is not as widespread as the recommendation to disable, is the reason behind disabling it. Other than stating it is ‘unsecure’ and vulnerable to password spray and brute force type attacks, there are not a whole lot of real world examples of the issues with legacy auth for Microsoft 365 readily available. A lot of the high level messaging relates to Modern Authentication allowing us to use Conditional Access and MFA but not many examples of why.
To understand, let’s take a typical Azure AD Conditional Access Policy which enforces Muti-Factor Authentication on all Android Devices:
The above policy should enforce MFA on Android devices connecting to our Office 365 service. Now when we log in as this user from an Android device and app/protocol that support Modern Authentication, we can see Conditional Access applies and our user is prompted for MFA.
We can check the Policy Details to see the Conditional Access criteria too.
Great, our user is protected by our Conditional Access policy, we’re secure….right? We can sleep soundly knowing we have the extra protection needed…
Well, now lets try sign in with a third party app using POP3 and Legacy Authentication.
Looks like our user got in without issue and Conditional Access checked the sign-in attempt successfully, however when we look at the details of the policy applied, we see a problem…
Our Conditional Access policy didn’t apply! Looking at the Conditional Access Policy Details we can see that the Device Platform condition wasn’t met.
When we look at the sign in logs we see why.
We don’t have any of the additional details we would generally see with a sign-in using Modern Authentication. As this detail is missing (In this case, Conditional Access is unaware we are coming from an Android device), our Conditional Access policy doesn’t know it should apply and the user bypasses our MFA requirement.
This is just one of many real world examples of where Legacy Authentication creates gaps in our security policy. By now, hopefully almost every tenancy is disabling or working to disable Legacy Authentication. As it stands Microsoft will enforce this change in the very near future so there is still time for anyone who hasn’t taken this step to prepare for that date.
Hopefully this post helps to put the associated risk into real world context. For information on how to disable Legacy Authentication, check out the Microsoft Documentation.