Identity7 min read

How to block legacy authentication in Microsoft 365

Block legacy auth in Entra ID without breaking mail flow. Find what's still using SMTP/IMAP, enable security defaults or Conditional Access, and verify before you enforce.

Quick answer

Legacy authentication bypasses modern MFA and Conditional Access. Block it tenant-wide with a Conditional Access policy (or security defaults on smaller tenants), after reviewing sign-in logs for active SMTP, IMAP, POP, and older Office clients still using basic auth.

Why legacy auth is still a problem

Attackers love legacy authentication because it sidesteps the controls you thought you had. MFA registration looks great on a dashboard until SMTP AUTH still works with a stolen password.

Microsoft has been deprecating basic auth for years, yet many tenants still allow it for one old integration nobody wants to touch.

How to find what's still using legacy auth

  • Open Entra ID → Sign-in logs and filter by Client app and Authentication protocol
  • Look for Authenticated SMTP, IMAP4, POP3, Other clients, and Exchange ActiveSync from non-mobile clients
  • Export 30 days of sign-ins and group by application. The top offenders are usually scan-to-email, legacy LOB apps, and old PowerShell scripts
  • Check Conditional Access → Policies for anything still in report-only that was meant to block legacy clients

What good looks like

  • No successful sign-ins using legacy protocols in production workloads
  • A Conditional Access policy blocking legacy authentication for all users (with documented exceptions)
  • Scan-to-email and LOB apps migrated to OAuth, relay, or a supported connector
  • Break-glass accounts excluded via policy scoping, not by leaving legacy auth on for everyone

Step-by-step: block legacy auth safely

  1. Create the policy: In the Microsoft Entra admin center, browse to Entra ID → Conditional Access → Policies and create a new policy.
  2. Include users: Under Users or workload identities, include All users. Exclude emergency access accounts so a policy mistake does not lock out the tenant.
  3. Target legacy clients: Under Conditions → Client apps, set Configure to Yes, then select Exchange ActiveSync clients and Other clients.
  4. Block access: Under Access controls → Grant, select Block access.
  5. Start in report-only: Microsoft recommends enabling the policy in Report-only first so you can review impact before enforcement.
  6. Migrate dependencies: Fix or replace scan-to-email, IMAP/POP, SMTP AUTH, old Office clients, or scripts that still depend on legacy protocols.
  7. Enforce and verify: Move the policy to On, then re-check sign-in logs after 7 days for any successful legacy protocol activity.

Common mistakes

  • Blocking legacy auth before inventorying scan-to-email devices (mail stops silently)
  • Relying on MFA registration stats while legacy SMTP still works
  • Leaving report-only CA policies in place for months without switching to On

Tenant Hawk checks whether legacy authentication is still permitted in your tenant and includes it in your security score. Run a free read-only scan to see where you stand before you enforce.

Source references

Manual steps in this guide are based on current Microsoft Learn documentation.

Frequently asked questions

What is legacy authentication in Microsoft 365?
Legacy auth protocols include SMTP, IMAP, POP, and older Office clients that send username and password on every request instead of modern OAuth. They bypass MFA and Conditional Access enforcement.
Will blocking legacy auth break my printers or scanners?
Some scan-to-email devices use SMTP AUTH. Inventory sign-in logs first, migrate devices to OAuth or relay through a connector, then block. Never flip the switch blind.
How do I check if legacy auth is still allowed?
Review Entra sign-in logs filtered by client app and authentication protocol. Tenant Hawk flags tenants where legacy authentication is still permitted and surfaces it in your security score.
Should I use security defaults or Conditional Access?
Security defaults work for smaller tenants without complex CA. Larger orgs should use a CA policy targeting all users and all cloud apps with legacy authentication client types set to block.
How long does it take to block legacy auth safely?
Plan one to two weeks: one week to inventory and notify app owners, one day to pilot the policy on a test group, then enforce tenant-wide.
Does blocking legacy auth help with cyber insurance?
Yes. Insurers and auditors routinely ask whether legacy protocols are disabled. It is one of the fastest high-impact controls you can prove.

Try it on your tenant

Run a free health scan in under 5 minutes

Tenant Hawk connects read-only to Microsoft 365 and Entra, scores your tenant across security, cost, reliability, and hygiene, then gives you a prioritized fix-it list.

Read-only access · no credentials stored · no credit card