Disable Legacy Authentication in Microsoft 365

Why Block Legacy Authentication?

Legacy authentication refers to older sign-in protocols, POP3, IMAP4, SMTP AUTH, and older versions of Exchange ActiveSync, that were built before modern security concepts existed. They use Basic authentication, which sends credentials in plain text and has no concept of multi-factor authentication.

The problem is that even if you've enforced MFA across your tenant, these protocols completely bypass it. An attacker who obtains a user's credentials can authenticate directly via IMAP or POP3 and gain full mailbox access without ever being challenged for a second factor. It's one of the most commonly exploited gaps in Microsoft 365 tenants.

🔓

MFA Bypass

Legacy protocols don't support MFA, attackers can authenticate with just a password, even on MFA-enforced accounts.

💥

Brute Force Attacks

Basic auth over POP/IMAP is a common target for password spray attacks, no lockout triggers on many legacy endpoints.

📧

Credential Stuffing

Leaked credential lists are frequently tested against SMTP AUTH and IMAP endpoints in automated attacks.

👁️

Poor Visibility

Legacy auth sign-ins often don't appear in standard sign-in logs, making them harder to detect and audit.

What Gets Blocked

The Conditional Access policy targets the Exchange ActiveSync and Other Clients client app conditions, which covers all of the following:

Protocol	Used For	Status
POP3	Older email clients downloading mail	BLOCKED
IMAP4	Email clients syncing mailboxes	BLOCKED
SMTP AUTH	Sending mail via basic auth	BLOCKED
Exchange ActiveSync (basic)	Older mobile devices syncing email	BLOCKED
Exchange Web Services (basic)	Older apps integrating with Exchange	BLOCKED
Autodiscover (basic)	Legacy Outlook auto-configuration	BLOCKED
MAPI over HTTP (basic)	Outlook 2013 and earlier	BLOCKED
Modern auth (OAuth 2.0)	Current Outlook, Teams, M365 apps	NOT AFFECTED

⚠️

Check for legacy dependencies first

Before enabling, check whether any users, service accounts, or line-of-business applications rely on POP3, IMAP, or SMTP AUTH. Common culprits include older printers that email scan-to-email via SMTP, monitoring tools, or mailbox-polling scripts. Use Report-Only mode (covered at the end) to identify these before blocking.

Create the Conditional Access Policy

🛡️ Conditional Access

Go to the Entra Admin Centre and open Conditional Access:

entra.microsoft.com › Protection › Conditional Access › Policies

Entra ID Conditional Access Policies page

Click New Policy and work through each section below.

1

Name the policy

Give it a clear, descriptive name, something like Block Legacy Authentication or CA-BLOCK-LegacyAuth.
2

Users, Include All users

Under Users, set Include to All users. This ensures no account can use legacy auth. If you have break-glass admin accounts, add them to the Exclude list, see the callout below.
3

Target resources, All cloud apps

Under Target resources, set to All cloud apps. This applies the block across every Microsoft 365 service, Exchange, SharePoint, Teams, and all others.
4

Conditions, Client apps

Under Conditions → Client apps, set Configure to Yes, then tick both Exchange ActiveSync clients and Other clients. These two options cover all legacy authentication protocols. Leave Browser and Mobile apps / Desktop clients unticked.
5

Grant, Block access

Under Access controls → Grant, select Block access. This is the control that denies authentication when the conditions above are matched.
6

Enable the policy

Set the policy state to On and click Create. The policy takes effect within a few minutes.

Policy summary

Block Legacy Authentication

Users All users (exclude break-glass admins)

Cloud Apps All cloud apps

Conditions Client apps: Exchange ActiveSync + Other clients

Grant Block access

State On

Before You Enable, Break-Glass Accounts

🚨 Important

🚨

Always exclude your break-glass admin accounts

Break-glass accounts are emergency admin accounts kept outside normal policy scope for disaster recovery. Any Conditional Access policy scoped to All users should exclude these accounts, if something goes wrong with your regular admin access, you need a way back in. Add them under Users → Exclude → Select users and groups before saving the policy.

Test First with Report-Only Mode

📊 Report-Only

If you're not confident there are no legacy auth dependencies in your environment, set the policy to Report-only instead of On when creating it. Report-only mode evaluates the policy against every sign-in and logs whether it would have been blocked, without actually blocking anything.

How to use Report-Only mode

Set the policy state to Report-only when creating it. After 7–14 days, review the Conditional Access insights under Entra ID → Monitoring → Sign-in logs, filtering for this policy. Any sign-ins that would have been blocked will appear, investigate them before switching the policy to On.

What to look for in the sign-in logs

Service accounts, any automation or integration authenticating via legacy protocols
Shared mailboxes, applications polling shared mailboxes via POP/IMAP
Printers / MFDs, scan-to-email features often use SMTP AUTH with basic credentials
Older mobile devices, some ActiveSync clients use basic auth and would lose email sync

✅

Complementary policy to consider

Pair this policy with one that disables persistent browser sessions and another that requires MFA for all users. Together these three policies form the core of a solid Microsoft 365 Conditional Access baseline, closing the three most common authentication attack paths.

How to Disable Legacy Authentication in Microsoft 365