Disable Legacy Authentication Part 1

Background

In this blog series we will look at what Legacy Authentication is and how to improve our security posture by disabling it. There are quiet a few guides like this already out there but I hope this step-by-step guide will be a good complement and shine some light on how to get going. In part 1 we will look at what tools we have available to find Legacy Authentication sign-ins.

Legacy Authentication uses old protocols like (not limited to): “POP3“, “IMAP” and “SMTP” to authenticate to our Cloud Apps (such as Exchange Online). How ever “MFA” and/or “Conditional Access” policies does not apply to legacy authentication sign-ins and should therefore be considered as a risk.

As a step towards more secure sign-ins we should start using “Modern Authentication” and disable legacy authentication. When we look at legacy authentication we must consider our current Microsoft Office installations. Not all Office-versions have support for modern auth, see below chart for more info.

Microsoft is looking at legacy authentication retirement. The official retirement date has been postponed until further notice due to the COVID-19 pandemic. But we must all start planning for an upcoming retirement and what that means for us. Read more about the upcoming legacy authentication retirement here: Link

In my opinion the retirement can not come soon enough as legacy authentication used by most phishing attempts. Below figures are from Microsoft official documents: Link

  • More than 99 percent of password spray attacks use legacy authentication protocols
  • More than 97 percent of credential stuffing attacks use legacy authentication
  • Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled
Microsoft Office versionModern Authentication Support
2007No
2010No
2013Yes, but requires ADAL to be enabled
2016 and aboveYes, enabled by default
2007 and 2010 completely lacks support for Modern Authentication

iOS“, “iPadOS” and “MacOS” must be considered as not all versions do support modern auth. This applies to the native Mail app and if you are on one of below OS-versions I recommend that you use the “Microsoft Outlook” app instead as it supports modern auth.

Operating SystemModern Authentication Support
iOSYes, iOS 11 or later
iPadOSYes, 13.1 or later
MacOSYes, 10.14 or later
Use Microsoft Outlook app if you are using an old OS-version

Identify Legacy Authentication Sign-ins

I recommend that you set up a Log Analytics workspace in Azure if you haven’t already. By doing so we will be able to collect Azure Sign-in info. This is a pre-requisite to be able to use “Conditional Access: Insights and Reporting“.

How to set up “Conditional Access: Insights and Reporting”

We will start off by creating a Resource Group for our Log Analytics Workspace. We will then create a LA workspace and set it up to gather Azure audit and sign-in logs. We must have an Azure subscription, this blog post will not cover settings up a subscription check this article if needed: Create an additional Azure subscription | Microsoft Docs

To export Sign-in data we need to have either Azure AD Premium Plan 1 or 2. It is possible to use a free trial for evaluation.

  1. Log in to: https://portal.azure.com with admin privileges
  2. Navigate to: “Azure Active Directory” -> “Security” -> “Conditional Access” -> “Insights and Reporting
  3. If you get below message you must first set up a Log Analytics workspace. Otherwhise you may skip to step: 20
  4. From the “Portal Menu” click: “Resource groups
  5. Click: “Add
  6. Your active subscription will be pre-defined, change this if needed
  7. Set a Resource Group name. In this demo I will use “Demo-LogAnalytics-ResourceGroup
  8. Choose a Region as per your need
  9. Click: “Review + create
  10. Click: “Create
  11. Navigate to: Log Analytics workspaces – Microsoft Azure
  12. Click: “Add
  13. Here we should use same “Subscription” as we used when we set up the “Resource Group”
  14. Resource Group: “Demo-LogAnalytics-ResourceGroup
  15. Name: Choose a name as per your need. In this demo I will use: “Log-Analytics-Azure-audit-and-signin-logs
  16. Set “Region” as per your need
  17. Click: “Review + Create
  18. Click “Create
  19. Wait a couple of minutes for the new Log Analytics Workspace to be deployed
  20. Navigate to: “Azure Active Directory” -> “Diagnostics Settings
  21. Click: “+ Add diagnostic setting
  22. Diagnostic setting name: In this demo I will use “Demo – Send Azure AD Logs to LogAnalytics
  23. Mark: “AuditLogs
  24. Mark: “SignInLogs
  25. Mark: “Send to Log Analytics workspace
  26. Subscription: Use same subscription as we used to set up the Resource Group and Log Analytics workspace
  27. Click: “Save”
  28. Wait about 60 minutes for everything to be synchronized
  29. Navigate to: “Azure Active Directory” -> “Security” -> “Conditional Access” -> “Insights and Reporting
  30. You should now be able to view “Conditional Access: Insights and Reporting
  31. I normally use “Insights and Reporting” to evaluate the outcome of a new conditional access policy (in report only mode) and to track down any legacy authentication sign-ins. But there are other ways to do this, let’s have a look at Workbooks!

Workbook: “Sign-ins using Legacy Authentication”

There are other things that benefits from the Log Analytics workspace that we just created. We can use a Workbook called “Sign-ins using Legacy Authentication” to get a view of any legacy auth sign-ins.

  1. Navigate to: “Azure Active Directory” -> “Workbooks
  2. Click: “Sign-ins using Legacy Authentication
  3. Now let’s make sure the “Workbook” is using correct Log Analytics Workspace
  4. Click: “Edit” -> “Settings
  5. Make sure that the Log Analytics workspace name matches the workspace we just created
  6. Close the “Settings” blade by clicking the “Cancel” and navigate back to the “Workbook
  7. As you can see, this “Workbook” is very helpful when you need to track down any legacy authentication sign-ins!

In part 2 we will look at how to block legacy authentication by using “Conditional Access”

Leave a Reply

Your email address will not be published. Required fields are marked *