Related Articles
- Configure Anti-Phishing Policies in Microsoft Defender for Office 365
- Enable and Configure Safe Links Policies
- Enable and Configure Safe Attachments Policies
- Configure Anti-Malware Policies in Microsoft 365
- Configure Spoof Intelligence and Anti-Spoofing Protection in Microsoft 365
- Enable DKIM for Exchange Online
- Disable Legacy Authentication for Exchange Online
- Using Preset Security Policies in Microsoft Defender for Office 365
Disable Legacy Authentication for Exchange Online
Overview
Legacy Authentication refers to older authentication protocols that rely on basic username and password authentication without support for modern security controls such as Multi-Factor Authentication (MFA) or Conditional Access.
In Exchange Online, legacy authentication commonly includes:
- POP3
- IMAP4
- SMTP AUTH (Basic)
- MAPI over HTTP (Basic)
- Exchange ActiveSync (Basic)
- Autodiscover (Basic)
Disabling legacy authentication is one of the most critical security hardening steps in Microsoft 365.
Why Disabling Legacy Authentication Is Important
Legacy authentication:
- Does not support MFA
- Cannot enforce Conditional Access
- Is vulnerable to password spray attacks
- Is commonly targeted by automated attack tools
If legacy authentication remains enabled:
- Password spray attacks can succeed
- MFA can be bypassed
- Account takeover risk increases
- Mailbox data can be exfiltrated
- Forwarding rules may be created silently
Is Legacy Authentication Enabled by Default?
In newer Microsoft 365 tenants, legacy authentication is generally disabled by default.
However:
- Older tenants may still have it enabled
- SMTP AUTH may remain enabled
- Conditional Access policies may not block legacy clients
- Service accounts may still rely on basic auth
Always verify configuration.
How to Check if Legacy Authentication Is Being Used
Method 1: Microsoft Entra Sign-in Logs
- Go to https://entra.microsoft.com
- Navigate to: Entra ID → Monitoring & Health → Sign-in logs
- Filter by: Client App → select "Legacy Authentication Clients" (Legay Signin logs view)
Look for:
- IMAP
- POP
- SMTP
- MAPI
- Exchange ActiveSync
Method 2: Filter by Authentication Details
In Sign-in logs:
- Filter by Authentication Details → Basic authentication
- Filter by Client App → Exchange ActiveSync / IMAP / POP
Investigate:
- Frequent failures (possible password spray)
- Login attempts from unusual geographies
- Repeated access attempts against privileged accounts
How to Disable Legacy Authentication
Option 1: Block via Conditional Access (Recommended)
- Go to Microsoft Entra Admin Center
- Navigate to: ID Protection → Risk-based Conditional Access → Policies
- Click New policy
Configure:
- Assignment to: All users (exclude emergency break-glass accounts)
- Target resources: Include → select resources → select specific resources → Office 365 Exchange Online
- Conditions: Client apps → Legacy Authentication Clients
- Grant control: Block access
Enable the policy.
Option 2: Disable SMTP AUTH
Check SMTP AUTH Status
1Get-CASMailbox -ResultSize Unlimited | Select Name,SmtpClientAuthenticationDisabledDisable SMTP AUTH for a Specific Mailbox
1Set-CASMailbox -Identity user@domain.com -SmtpClientAuthenticationDisabled $trueDisable SMTP AUTH Tenant-Wide
1Set-TransportConfig -SmtpClientAuthenticationDisabled $trueOption 3: Use Authentication Policies
Create Authentication Policy
1New-AuthenticationPolicy -Name "Block Basic Auth"Disable Basic Authentication Protocols
1Set-AuthenticationPolicy -Identity "Block Basic Auth" `
2-AllowBasicAuthImap $false `
3-AllowBasicAuthPop $false `
4-AllowBasicAuthSmtp $false `
5-AllowBasicAuthMAPI $false `
6-AllowBasicAuthActiveSync $falseAssign Policy to User
1Set-User -Identity user@domain.com -AuthenticationPolicy "Block Basic Auth"Monitoring After Disabling
After blocking legacy authentication:
- Review Entra sign-in logs daily
- Monitor blocked attempts
- Investigate repeated login failures
- Confirm no business-critical system is affected
What Happens If You Do Not Disable It?
If legacy authentication remains enabled:
- Attackers can bypass MFA
- Password spray attacks remain effective
- Account takeover risk increases
- Data exfiltration may occur silently
Legacy authentication is one of the most common root causes of Microsoft 365 account compromise.
Common Administrative Failures
- Assuming it is disabled automatically
- Forgetting service accounts (printers, apps)
- No emergency access account exclusion
- Not monitoring logs after enforcement
- Not enforcing MFA alongside disabling legacy auth
Best Practices
- Block legacy authentication using Conditional Access
- Disable SMTP AUTH if not required
- Enforce MFA for all users
- Monitor sign-in logs regularly
- Maintain secure emergency access accounts
Frequently Asked Questions
Is legacy authentication disabled by default?
New tenants generally have it disabled, older ones may not.
Will disabling legacy authentication break applications?
It may impact POP/IMAP/SMTP-based apps. Test before enforcement.
How do attackers exploit legacy authentication?
Through password spray attacks that bypass MFA.
Is this an important security control?
Yes. It significantly reduces Microsoft 365 account takeover risk.