Since October 2019, Microsoft has enabled Security Defaults by default in new Microsoft 365 tenants.  Security Defaults are a group of best-practice security settings, and one of note is the disablement of all legacy authentication, which itself has been off in Exchange Online and SharePoint Online, by default, since August 2017.

The term legacy authentication doesn’t refer to one particular protocol, but rather any that do not support Multi-Factor Authentication (MFA).  Protocols that support MFA are described as modern authentication.  In the context of Microsoft 365 and Azure Active Directory, which handles Microsoft 365’s authentication, these are protocols such as ADAL and OAuth.

When you use modern authentication, your users authenticate interactively with a web dialogue that belongs to your identity provider (Azure AD), rather than a dialogue the OS (Windows) or application (Outlook, Thunderbird) itself owns.  This means the apps and services themselves are not trusted to handle credentials; your (hopefully) trusted authority like Azure AD deals with the credentials and issues a token.

Basic authentication for the protocols EWS, EAS, POP3, IMAP4, and Remote PowerShell was set to be disabled on 13 October 2020.  Of these, POP3, IMAP, and Remote PowerShell will all get OAuth support.  This has since been changed to the second half of 2021, but when it does happen, if the application attempting to authenticate does not support the modern authentication protocols, you will not be able to authenticate. Note that SMTP AUTH (basic authentication) is already affected: since 2019, new tenants have had it disabled, customers who didn’t use it had it disabled, and if you used it, it would be disabled at the tenant level but supported at the mailbox/user level:

The reasons Microsoft advocate against continued support of legacy authentication are because it does not support MFA (which is by far the simplest way of protecting your users from account breaches), and because automated attacks such as password spray are more susceptible to it.

You can use Azure Active Directory’s Sign-In reports to see basic authentications against your tenants to understand and prepare for support changes.  This can be exported to JSON or CSV too.

Additionally, in Outlook for Windows, you can view whether or not you are connected using legacy or modern authentication. In the Notification Area (beside the clock) on Windows, hold CTRL and right-click the Outlook sync icon, then select Connection Status.

In the General tab, there is a column called Authn.  If the value is Bearer*, you are using modern authentication.  If the value is Clear*, you are using basic authentication.  A common question is what happens to the user experience if you are currently only on classic authentication and change to modern?  If you enable modern authentication, you don’t need to rebuild the Outlook profile – the next connection will simply change to Bearer*.

2 Comments

Comments are closed