• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Online / Switching off legacy authentication for Exchange Online

Switching off legacy authentication for Exchange Online

September 5, 2020 by Steve Goodman 6 Comments

Switching off legacy authentication for Exchange Online

Keeping legacy authentication enabled in your Microsoft 365 tenant should be avoided; however, going ahead and disabling has traditionally been difficult. Unless you already have a good understanding of your clients, it may present a risk.

Recent improvements to Exchange Online make this simple to configure, and you can now retrieve the information you need to identify potential clients that might be affected.

In this article, we will walk through the process to identify clients using legacy authentication, then utilize the new functionality available to Exchange Online to disable legacy auth for selected protocols.

Reviewing legacy sign-ins to Exchange Online

Before disabling legacy authentication for Exchange Online, it is essential to ensure that clients won’t be affected or prevented from signing in, or if they will, gather enough information so that you can inform people who will be impacted.

You can do this in the Azure Active Directory portal by reviewing sign-in logs using dedicated capabilities to filter based on legacy authentication. To do this, navigate to the Azure AD portal and then select Sign-ins under Monitoring.

Learn more: Introducing Certificate-Based Authentication for Exchange Online Remote PowerShell with Microsoft MVP Vasil Michev

In this section, you will see all sign-in attempts to Azure AD, including sign-in to all Microsoft 365 services from all your clients. We’ll first make sure the information we need is clearly displayed by adjusting the columns displayed by adding client app, as shown below:

client app

Next, we’ll use Add filters to add a filter based on client app:

add filters

The filter for client app will allow us to reduce the list shown to only relevant clients. To do this, expand the filter and from the drop-down list only select the protocols listed under Legacy authentication clients:

Legacy authentication clients

This list is likely to show us both successful and unsuccessful sign-ins. Whilst unsuccessful sign-ins are a concern; we will focus on successful sign-ins to gain insight into what should be real sign-ins from our users. We’ll do this by using Add filters to add a filter based on Status:

Status

We’ll then change the filter for Status to only show results that are a Success:

Status: success

You will then see what may be a long list of sign-ins from legacy authentication clients to Exchange Online. You can expand this using the Date filter to up to one month to gain more insights and use Download to export a list for review.

In the example below, we can see that many users widely use exchange Activesync. Therefore before disabling this protocol, we’ll need to move them to a modern-authentication capable client such as the Outlook App.

Learn more: How to Migrate Exchange Mailbox Permissions with Mike Weaver

If you examine the list and want to understand which legacy authentication protocols are not in active use and can be immediately disabled, then re-open the Client app filter and unselect protocols shown in your results. By unselecting Exchange Activesync, we will be able to see other protocols in active use then easily:

Exchange ActiveSync

We will repeat the process by removing other protocols in active usage until no results are shown. In the example below, we have discovered quickly that only Activesync and Exchange Web Services are in use, and there are no sign-ins over the last month from any other clients.

Exchange ActiveSync and Exchange Web Services

Selectively switching off legacy authentication

After discovering which protocols are not in active use, we are in a position where it becomes low-risk to disable legacy authentication.

Instead of using Exchange Online PowerShell, we can now use the Microsoft 365 admin center to disable legacy authentication for Exchange Online on a protocol-by-protocol basis affecting all users. To do this, navigate to Settings>Org Settings and choose Modern authentication from the services list. In the Modern authentication page, we’ll disable the legacy protocols no longer in use:

Modern authentication

You’ll note in the example above; we’ve disabled legacy authentication for IMAP4, POP3, Exchange Online PowerShell, and Autodiscover. For Exchange Online Powershell, this means you must use either the V2 module or the deprecated V1 module that supports MFA. By disabling legacy authentication to Autodiscover, we will prevent additional legacy clients from attempting to discover Exchange Online information.

Because we know legacy Activesync is in use in our organization and there is a small amount of active legacy Exchange Web Services usage, we’ll leave these protocols enabled.

Once we are happy with the settings, we’ll choose Save to apply these to all Exchange Online clients.

Disabling Legacy Authentication for all Exchange Online services

Using our sign-in log information, we will upgrade or reconfigure discovered clients to use modern authentication. After re-running the steps to filter Azure AD sign-ins and confirming we no longer have any active usage of legacy authentication, we’ll re-visit the Microsoft 365 admin center and disable legacy authentication for all Exchange Online protocols:

Modern authentication options

Further improving security for Microsoft 365 and Exchange Online

Disabling legacy authentication to Exchange Online isn’t the panacea of Microsoft 365 security – it is just one step towards helping keep the environment secure from particular threats, like password spray attacks.

Suppose you have Microsoft 365 E3, Microsoft 365 Business Premium, EMS E3, or Azure AD Premium licenses. In that case, you should consider configuring Conditional Access in your environment to selectively enable Azure Multi-Factor Authentication or configure rules to only allow access to your environment from Intune enrolled devices, Hybrid Azure AD domain-joined PC – or other criteria, such as IP address.

However, suppose you don’t have Conditional Access available. In that case, you may want to consider using Azure AD Security Defaults or (if you need it on a per-user basis) Office 365 multi-factor authentication. Azure AD Security Defaults is particularly useful if you wish to have a guided process over 14 days rather than immediately. It also provides additional MFA protection to privileged administrative actions in your tenant.  

Exchange Online

About Steve Goodman

Steve is a Microsoft MVP for Office Servers and Services. He enjoys getting hands-on, solving some of the more complex problems associated with migrating to the cloud or to newer versions of Exchange Server.

Comments

  1. carol says

    October 27, 2020 at 11:13 pm

    Hi Steve, we have been told that we must switch off legacy authentication to allow guest access to Teams. Is there no work around to this?

    Reply
    • Steve Goodman says

      October 28, 2020 at 1:46 am

      Hiya,

      Disabling legacy authentication to Exchange Online isn’t a pre-requisite to allowing guest access to Teams. It’s advisable to do this anyway, but the two are not connected.

      Steve

      Reply
  2. Eddie says

    September 23, 2020 at 11:50 pm

    Hi Steve,

    How can I access a shared mailbox for a third party application that sends email on behalf of our company with Oauth?
    One reason for still allowing basic auth is this example, and I can’t figure out how to do this in the future.

    Reply
    • Steve Goodman says

      January 10, 2021 at 3:56 am

      The third party application will need to update their application to use Oauth. Unfortunately this will be required in the future, potentially this year, so it’s worth making sure they are getting ready.

      Reply
  3. Tristan says

    September 19, 2020 at 1:34 am

    Hey Steve,
    Running through this i can see that our customer uses ActiveSync, Exchange ActiveSync, EWS, Mapi Over HTTP and Outlook Anywhere.

    What is the best course to getting them completely switched over to Modern Authentication? Is the process any different for Hybrid Exchange O365 Sites?

    Thanks

    Reply
    • Steve Goodman says

      September 21, 2020 at 7:16 am

      Hiya,

      The process to move them over from ActiveSync using Legacy Auth will be to either – move them to the Outlook App; or if they are using a modern-auth capable phone (such as an iOS device) they’ll need to re-add the profile, which *should* use Modern Auth.

      For EWS/MAPI over HTTP/Outlook Anywhere, then you need to check what client versions are in use. It should be Outlook 2016 or higher, which supports modern authentication and should switch over cleanly. If it’s 2013, then you can deploy registry changes to enable modern authentication, allowing a clean process to switch from basic to modern auth. For 2010 – they are very unsupported and will need a modern Office client installed.

      Steve

      Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Hands-on SharePoint Syntex Blog Series – Part I
  • The Practical 365 Weekly Update: S2, Ep 8 – What to expect in 2021, Solarigate, TLS in Exchange and new Teams updates
  • Security updates released for Exchange and SharePoint Servers 2010 to 2019
  • The Practical 365 Weekly Update: S2, Ep 7 – Urgent Exchange security updates, new Teams features launch
  • How to train your users against threats with Attack Simulation Training
Practical 365

Related Posts

Related Posts

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2021 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland