Last Updated: March 2026

Legacy authentication is one of the most common attack vectors used against Microsoft 365 environments. Despite Microsoft’s push toward modern authentication, many organizations still have devices, applications, or scripts relying on outdated authentication protocols.

These older authentication methods—commonly referred to as Legacy Authentication or Basic Authentication—do not support modern security protections such as Multi-Factor Authentication (MFA) or Conditional Access policies. This makes them particularly attractive to attackers performing password spray attacks or credential stuffing attempts.

In many cases, organizations believe they have fully migrated to modern authentication, only to discover that older devices, scripts, or email clients are still authenticating using legacy protocols such as IMAP, POP, SMTP AUTH, or older Exchange protocols.

In this guide, you’ll learn:

• How to identify devices and users still using legacy authentication
• How to analyze Microsoft Entra sign-in logs
• How to block legacy authentication safely using Conditional Access
• Best practices for fully disabling legacy authentication in Microsoft 365

For security-focused IT professionals, removing legacy authentication is one of the most effective ways to immediately reduce identity-based attacks.

Quick Fix Summary

If you want to quickly secure your Microsoft 365 environment from legacy authentication risks:

• Use Microsoft Entra sign-in logs to identify legacy authentication attempts.
• Filter logs by Client App = Legacy Authentication Clients.
• Create a Conditional Access policy to block legacy authentication.
• Ensure all users and applications are using modern authentication protocols.
• Monitor logs after enforcement to identify remaining legacy clients or scripts.

What Is Legacy Authentication in Microsoft 365?

Legacy authentication refers to older authentication methods that rely solely on username and password credentials.

Unlike modern authentication protocols, legacy authentication does not support MFA, device compliance checks, or Conditional Access policies.

Examples of legacy authentication protocols include:

• POP3
• IMAP
• SMTP AUTH
• Exchange ActiveSync (older implementations)
• Exchange Web Services using basic auth
• Office clients older than Office 2016
• Older PowerShell scripts using basic authentication

Because these protocols only rely on static credentials, they are extremely vulnerable to attacks.

Why Legacy Authentication Is a Security Risk

Attackers specifically target legacy authentication because it bypasses many modern security controls.

Common threats include:

Password Spray Attacks

Attackers attempt a single password across many accounts.

Legacy authentication endpoints are often targeted because they do not enforce MFA challenges.

Credential Stuffing

If credentials are leaked from another breach, attackers test them against Microsoft 365 services.

Legacy authentication allows these attempts to occur without triggering MFA prompts.

Hidden Authentication Attempts

Legacy authentication attempts are often harder to detect and may not generate obvious user alerts.

Security teams frequently discover thousands of failed login attempts targeting legacy protocols.

Step 1 – Identify Legacy Authentication in Microsoft Entra Sign-In Logs

The first step is identifying whether legacy authentication is still being used.

Navigate to Sign-In Logs

1. Open the Microsoft Entra Admin Center
2. Go to:

Identity → Monitoring → Sign-in Logs

Filter for Legacy Authentication

Use the Client App filter.

Select:

Legacy Authentication Clients

This will display authentication attempts using older protocols.

Review Key Log Fields

When analyzing these logs, pay attention to:

• User account
• Client application
• IP address
• Location
• Application used
• Success or failure status

Successful sign-ins using legacy authentication are particularly concerning.

Step 2 – Identify Which Devices or Applications Are Using Legacy Auth

Once you locate legacy authentication events, determine what systems are responsible.

Common sources include:

Older Email Clients

Examples include:

• Outlook 2010
• Outlook 2013
• older mobile email apps

These clients often use basic authentication for Exchange services.

Multifunction Printers

Printers frequently authenticate using SMTP AUTH.

Many older printers cannot support modern authentication.

Scripts and Automation

PowerShell scripts or automation tools may still use:

Basic authentication with stored credentials

These scripts often run quietly in the background and go unnoticed.

Third-Party Applications

Older integrations with:

• CRM systems
• ticketing platforms
• backup solutions

may still rely on legacy authentication methods.

Step 3 – Create a Conditional Access Policy to Block Legacy Authentication

Once you understand where legacy authentication is occurring, the safest way to disable it is through Conditional Access policies.

Create the Policy

1. Go to:

Microsoft Entra Admin Center
→ Protection
→ Conditional Access

2. Select:

New Policy

Configure the Policy

Recommended configuration:

Assignments

Users:

• All users

Exclude:

• emergency break-glass accounts

Cloud Apps

All cloud apps

Conditions

Client Apps:

Select → Legacy Authentication Clients

Access Controls

Grant:

Block Access

Enable the policy in Report-only mode first to verify impact.

Step 4 – Monitor Report-Only Mode

Before enforcing the policy, allow it to run in report-only mode.

This helps identify:

• applications that will break
• devices still using legacy protocols
• scripts requiring modification

Monitor for several days or weeks depending on environment size.

Step 5 – Enforce the Policy

Once testing confirms there are no legitimate dependencies, switch the policy to:

Enable → On

This will block all legacy authentication attempts across the tenant.

Additional Security Tips

Maintain Emergency Break-Glass Accounts

Always keep at least two emergency accounts excluded from Conditional Access policies.

These accounts should:

• use strong passwords
• not require MFA
• only be used during emergencies

Monitor Sign-In Logs Regularly

Even after disabling legacy authentication, attackers may still attempt to use legacy protocols.

Monitoring sign-in logs helps identify:

• attack attempts
• compromised accounts
• suspicious IP addresses

Disable SMTP AUTH Where Possible

SMTP AUTH is one of the last remaining legacy protocols still widely used.

If not required, disable it globally or per mailbox.

Use Security Defaults or Conditional Access

Microsoft strongly recommends:

• enabling Security Defaults, or
• implementing Conditional Access policies

Both approaches help enforce modern authentication requirements.

Real-World Experience From Enterprise Environments

In many Microsoft 365 environments with 500–2000 users, security teams often discover unexpected legacy authentication usage.

Typical findings include:

• old backup software authenticating with Exchange
• legacy monitoring tools using IMAP
• printers sending email alerts via SMTP AUTH
• forgotten PowerShell automation scripts

Disabling legacy authentication often reveals technical debt that has existed for years.

However, once removed, organizations typically see an immediate drop in password spray attack attempts.

From a security standpoint, blocking legacy authentication is one of the highest impact identity protection measures available in Microsoft 365.

FAQ

What is legacy authentication in Microsoft 365?

Legacy authentication refers to older login protocols that rely only on username and password without supporting modern security features like MFA or Conditional Access.

Why is legacy authentication dangerous?

Legacy authentication allows attackers to attempt login attacks without triggering MFA challenges, making it easier to compromise accounts.

How can I find users using legacy authentication?

You can identify legacy authentication usage by filtering Microsoft Entra sign-in logs using the Client App = Legacy Authentication Clients filter.

Will disabling legacy authentication break applications?

It can break older email clients, scripts, printers, and third-party applications that rely on basic authentication. This is why testing using report-only Conditional Access policies is recommended.

Does Microsoft automatically disable legacy authentication?

Microsoft has deprecated many legacy authentication protocols, but some may still be enabled depending on tenant configuration or specific services like SMTP AUTH.

Conclusion

Legacy authentication remains one of the largest identity security weaknesses in Microsoft 365 environments. Because these protocols do not support MFA or modern security controls, attackers frequently target them when attempting to compromise accounts.

By identifying legacy authentication usage in Microsoft Entra sign-in logs, administrators can quickly locate outdated applications, devices, and scripts still relying on insecure authentication methods.

Once identified, organizations should implement Conditional Access policies to block legacy authentication, ensuring all users authenticate through modern, secure methods.

For most environments, disabling legacy authentication provides an immediate improvement to identity security and significantly reduces exposure to common attacks such as password spraying and credential stuffing.

Last Updated

Last Updated: March 2026
This guide reflects the latest Microsoft Entra authentication and Microsoft 365 security practices.

Daniel Lutton

From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.