top of page
Search

Legacy Authentication in Microsoft 365: Mostly Dead—But Still a Risk

  • Writer: Kyle Cira
    Kyle Cira
  • 3 days ago
  • 2 min read
Legacy Auth? Straight to jail. Right away.
Legacy Auth? Straight to jail. Right away.

For years, legacy authentication was one of the easiest ways for attackers to bypass security controls in Microsoft 365.


Even in environments with Multi-Factor Authentication (MFA) enabled, legacy protocols allowed attackers to authenticate using only a stolen username and password—no second factor required.


The result? Attackers could quietly access mailboxes, download data, and gain valuable data for their next move.


What Was the Risk?

Legacy authentication protocols don’t support modern security features like MFA.

That meant:

  • A compromised password could grant immediate access

  • MFA protections could be completely bypassed

  • Attackers could exfiltrate mailbox data with little resistance

This made legacy authentication a primary attack vector for credential-based breaches.


Where Things Stand Today

Microsoft has taken major steps to reduce this risk.

As of October 2022, Microsoft began disabling legacy authentication across Microsoft 365 tenants, and by early 2023, it was fully disabled by default.

However: SMTP AUTH remains enabled by default in many environments

And that’s where risk still exists.


What CIS Recommends

The CIS Microsoft 365 Benchmark v6 addresses this directly with:

Control 5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication (Automated)

This includes blocking all legacy protocols—including SMTP.


The SMTP Exception (and How to Handle It Safely)

Some organizations still require SMTP for legitimate use cases (e.g., scanners, applications, or email relays).

If that’s the case, the goal isn’t to ignore the risk—it’s to control it tightly.


Recommended approach:

  1. Create a Conditional Access policy to block all legacy authentication aligned to CIS M365 v6 5.2.2.3 specifications.

  2. Exclude only the specific accounts that require SMTP

  3. Create a secondary policy that restricts those accounts to a trusted IP address


The key principle: If SMTP must be used, it should only be usable from one controlled location—not the entire internet.


Don’t Forget Break Glass Accounts

As with all Conditional Access policies:

  • Break glass (emergency access) accounts should be excluded

  • These accounts must still be:

    • Strongly protected

    • Closely monitored

    • Used only in true emergency scenarios


Final Thoughts

Legacy authentication may no longer be the widespread threat it once was—but it’s not completely gone.

The remaining footholds—like SMTP—still present real risk if left uncontrolled.

A properly configured Conditional Access strategy ensures:

  • Legacy protocols are blocked wherever possible

  • Exceptions are tightly restricted


Work With Redeemer Cyber

At Redeemer Cyber, we help organizations identify and close real-world Microsoft 365 security gaps—including legacy authentication exposures that are often overlooked.

Contact us today to ensure your environment is fully aligned with CIS M365 v6 and modern security best practices.

 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page