Why legacy auth is still a problem
Attackers love legacy authentication because it sidesteps the controls you thought you had. MFA registration looks great on a dashboard until SMTP AUTH still works with a stolen password.
Microsoft has been deprecating basic auth for years, yet many tenants still allow it for one old integration nobody wants to touch.
How to find what's still using legacy auth
- Open Entra ID → Sign-in logs and filter by Client app and Authentication protocol
- Look for Authenticated SMTP, IMAP4, POP3, Other clients, and Exchange ActiveSync from non-mobile clients
- Export 30 days of sign-ins and group by application. The top offenders are usually scan-to-email, legacy LOB apps, and old PowerShell scripts
- Check Conditional Access → Policies for anything still in report-only that was meant to block legacy clients
What good looks like
- No successful sign-ins using legacy protocols in production workloads
- A Conditional Access policy blocking legacy authentication for all users (with documented exceptions)
- Scan-to-email and LOB apps migrated to OAuth, relay, or a supported connector
- Break-glass accounts excluded via policy scoping, not by leaving legacy auth on for everyone
Step-by-step: block legacy auth safely
- Create the policy: In the Microsoft Entra admin center, browse to Entra ID → Conditional Access → Policies and create a new policy.
- Include users: Under Users or workload identities, include All users. Exclude emergency access accounts so a policy mistake does not lock out the tenant.
- Target legacy clients: Under Conditions → Client apps, set Configure to Yes, then select Exchange ActiveSync clients and Other clients.
- Block access: Under Access controls → Grant, select Block access.
- Start in report-only: Microsoft recommends enabling the policy in Report-only first so you can review impact before enforcement.
- Migrate dependencies: Fix or replace scan-to-email, IMAP/POP, SMTP AUTH, old Office clients, or scripts that still depend on legacy protocols.
- Enforce and verify: Move the policy to On, then re-check sign-in logs after 7 days for any successful legacy protocol activity.
Common mistakes
- Blocking legacy auth before inventorying scan-to-email devices (mail stops silently)
- Relying on MFA registration stats while legacy SMTP still works
- Leaving report-only CA policies in place for months without switching to On
Tenant Hawk checks whether legacy authentication is still permitted in your tenant and includes it in your security score. Run a free read-only scan to see where you stand before you enforce.