You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/block-legacy-authentication.md
+34-10Lines changed: 34 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to improve your security posture by blocking legacy authe
4
4
ms.service: active-directory
5
5
ms.subservice: conditional-access
6
6
ms.topic: how-to
7
-
ms.date: 02/14/2022
7
+
ms.date: 06/21/2022
8
8
ms.author: joflore
9
9
author: MicrosoftGuyJFlo
10
10
manager: karenhoran
@@ -22,7 +22,7 @@ Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020
22
22
23
23
> For MFA to be effective, you also need to block legacy authentication. This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI can't enforce MFA, making them preferred entry points for adversaries attacking your organization...
24
24
>
25
-
>...The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:
25
+
>...The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:
26
26
>
27
27
> - More than 99 percent of password spray attacks use legacy authentication protocols
28
28
> - More than 97 percent of credential stuffing attacks use legacy authentication
@@ -44,7 +44,7 @@ This article assumes that you're familiar with the [basic concepts](overview.md)
44
44
45
45
## Scenario description
46
46
47
-
Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication refers to basic authentication, a widely used industry-standard method for collecting user name and password information. Typically, legacy authentication clients can't enforce any type of second factor authentication. Examples of applications that commonly or only use legacy authentication are:
47
+
Azure AD supports the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication can't prompt users for second factor authentication or other authentication requirements needed to satisfy conditional access policies, directly. This authentication pattern includes basic authentication, a widely used industry-standard method for collecting user name and password information. Examples of applications that commonly or only use legacy authentication are:
48
48
49
49
- Microsoft Office 2013 or older.
50
50
- Apps using mail protocols like POP, IMAP, and SMTP AUTH.
@@ -55,11 +55,9 @@ Single factor authentication (for example, username and password) isn't enough t
55
55
56
56
How can you prevent apps using legacy authentication from accessing your tenant's resources? The recommendation is to just block them with a Conditional Access policy. If necessary, you allow only certain users and specific network locations to use apps that are based on legacy authentication.
57
57
58
-
Conditional Access policies are enforced after the first-factor authentication has been completed. Therefore, Conditional Access isn't intended as a first line defense for scenarios like denial-of-service (DoS) attacks, but can utilize signals from these events (for example, the sign-in risk level, location of the request, and so on) to determine access.
59
-
60
58
## Implementation
61
59
62
-
This section explains how to configure a Conditional Access policy to block legacy authentication.
60
+
This section explains how to configure a Conditional Access policy to block legacy authentication.
63
61
64
62
### Messaging protocols that support legacy authentication
65
63
@@ -83,7 +81,9 @@ For more information about these authentication protocols and services, see [Sig
83
81
84
82
### Identify legacy authentication use
85
83
86
-
Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory. Azure AD sign-in logs can be used to understand if you're using legacy authentication.
84
+
Before you can block legacy authentication in your directory, you need to first understand if your users have clients that use legacy authentication. Below, you'll find useful information to identify and triage where clients are using legacy authentication.
85
+
86
+
#### Indicators from Azure AD
87
87
88
88
1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**.
89
89
1. Add the Client App column if it isn't shown by clicking on **Columns** > **Client App**.
@@ -92,9 +92,33 @@ Before you can block legacy authentication in your directory, you need to first
92
92
93
93
Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you more details. The **Client App** field under the **Basic Info** tab will indicate which legacy authentication protocol was used.
94
94
95
-
These logs will indicate which users are still depending on legacy authentication and which applications are using legacy protocols to make authentication requests. For users that don't appear in these logs and are confirmed to not be using legacy authentication, implement a Conditional Access policy for these users only.
95
+
These logs will indicate where users are using clients that are still depending on legacy authentication. For users that don't appear in these logs and are confirmed to not be using legacy authentication, implement a Conditional Access policy for these users only.
96
+
97
+
Additionally, to help triage legacy authentication within your tenant use the [Sign-ins using legacy authentication workbook](../reports-monitoring/workbook-legacy%20authentication.md).
98
+
99
+
#### Indicators from client
100
+
101
+
To determine if a client is using legacy or modern authentication based on the dialog box presented at sign-in, see the article [Deprecation of Basic authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#authentication-dialog).
102
+
103
+
## Important considerations
104
+
105
+
Many clients that previously only supported legacy authentication now support modern authentication. Clients that support both legacy and modern authentication may require configuration update to move from legacy to modern authentication. If you see **modern mobile**, **desktop client** or **browser** for a client in the Azure AD logs, it's using modern authentication. If it has a specific client or protocol name, such as **Exchange ActiveSync**, it's using legacy authentication. The client types in Conditional Access, Azure AD Sign-in logs, and the legacy authentication workbook distinguish between modern and legacy authentication clients for you.
106
+
107
+
- Clients that support modern authentication but aren't configured to use modern authentication should be updated or reconfigured to use modern authentication.
108
+
- All clients that don't support modern authentication should be replaced.
109
+
110
+
> [!IMPORTANT]
111
+
>
112
+
> **Exchange Active Sync with Certificate-based authentication(CBA)**
113
+
>
114
+
> When implementing Exchange Active Sync (EAS) with CBA, configure clients to use modern authentication. Clients not using modern authentication for EAS with CBA **are not blocked** with [Deprecation of Basic authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online). However, these clients **are blocked** by Conditional Access policies configured to block legacy authentication.
115
+
>
116
+
>For more Information on implementing support for CBA with Azure AD and modern authentication See: [How to configure Azure AD certificate-based authentication (Preview)](../authentication/how-to-certificate-based-authentication.md). As another option, CBA performed at a federation server can be used with modern authentication.
117
+
118
+
119
+
If you're using Microsoft Intune, you might be able to change the authentication type using the email profile you push or deploy to your devices. If you're using iOS devices (iPhones and iPads), you should take a look at [Add e-mail settings for iOS and iPadOS devices in Microsoft Intune](/mem/intune/configuration/email-settings-ios).
96
120
97
-
## Block legacy authentication
121
+
## Block legacy authentication
98
122
99
123
There are two ways to use Conditional Access policies to block legacy authentication.
100
124
@@ -128,4 +152,4 @@ You can select all available grant controls for the **Other clients** condition;
128
152
-[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
129
153
- If you aren't familiar with configuring Conditional Access policies yet, see [require MFA for specific apps with Azure Active Directory Conditional Access](../authentication/tutorial-enable-azure-mfa.md) for an example.
130
154
- For more information about modern authentication support, see [How modern authentication works for Office client apps](/office365/enterprise/modern-auth-for-office-2013-and-2016)
131
-
-[How to set up a multifunction device or application to send email using Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365)
155
+
-[How to set up a multifunction device or application to send email using Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365)
0 commit comments