Building Resilience - Blocking Legacy Authentication

In history, we built resilience into our towns and villages by building walls around them or a Castle on a hill. This idea can be carried forward into our Entra ID Conditional Access.

Blocking legacy authentication is one of the highest-impact controls you can implement in Entra ID. It removes a common attack path that bypasses MFA enforcement and weakens Conditional Access design. This control is potentially one of the most useful policies in Conditional Access but it's also one that is quite often missed by Administrators in their environment. There are a few reasons for this:

1. Administrators don't want to block things like SMTP on printers or services that may still use legacy authentication types.

2. Administrators lack the understanding of the environment and don't know if there are services still using this feature (unmapped services).

3. Administrators have legacy applications or services that require this and aren't sure how to phase out these in a secure and effective manner.

In order to assist with this common problem, this blog post will walk through how to identify legacy usage, create the policy, test it safely, and enforce it properly.

Step 1: Confirm Whether Legacy Authentication Is in Use

Before enforcing anything, check whether legacy protocols are still being used.

1. Go to Entra Admin Center → Monitoring & health → Sign-in logs.

2. Click Columns and add Client app.

3. Use the Add filters option and filter by Client app.

4. Select legacy authentication client types such as:

   • Exchange ActiveSync

   • IMAP

   • POP

   • SMTP

   • Other clients

Review the results over at least several days.

If you see sign-ins:

• Identify the user or service account.

• Determine whether the application supports modern authentication.

• Plan remediation before enforcement.

If nothing legitimate appears, proceed to policy creation.

Step 2: Create the Conditional Access Policy

Do not combine this with another policy. Keep it dedicated and clear.

1. Go to Protection → Conditional Access.

2. Click New policy.

3. Name the policy:Block Legacy Authentication – All Users

Assignments

Users

• Select All users.

• Exclude:

  • At least two documented emergency access accounts.

Do not exclude broad user groups unless absolutely necessary.

Target resources

• Select All cloud apps.

Conditions

Client apps

1. Click Client apps.

2. Set Configure to Yes.

3. Select Other clients (this represents legacy authentication protocols).

Leave other conditions unset unless you have a specific reason.

Access Controls

1. Under Grant, select Block access.

2. Click Select.

Step 3: Enable Report-Only Mode First

Before turning it on:

1. At the bottom of the policy, set Enable policy to Report-only.

2. Click Create.

Let this run for several days. During that time:

• Go back to Sign-in logs.

• Filter by Conditional Access → select the new policy.

• Review what would have been blocked.

If legitimate systems appear, fix the system rather than immediately creating a wide exclusion.

Step 4: Move to Enforcement

Once you are confident no required systems depend on legacy authentication:

1. Edit the policy.

2. Change Enable policy from Report-only to On.

3. Save.

From this point forward, legacy authentication attempts will be blocked.

Step 5: Validate the Block Is Working

After enforcement:

1. Go to Sign-in logs.

2. Filter by Client app = legacy types.

3. Confirm sign-ins show Failure.

4. Expand a sign-in event and review:

   • Conditional Access → see the policy listed.

   • Result: Failure.

   • Grant controls: Blocked.

You will likely see automated password spray attempts that were previously succeeding or going unnoticed.

Step 6: Address SMTP AUTH If Required

If your organisation uses SMTP AUTH for application mail relay:

• Do not disable tenant-wide access without confirming usage.

• Consider:

  • Disabling SMTP AUTH globally.

  • Enabling it only per mailbox where absolutely required.

  • Migrating to modern authenticated SMTP or a controlled relay.

Tenant-wide exceptions defeat the purpose of this control.

What This Achieves

Once legacy authentication is blocked:

• Password spray attacks against legacy endpoints fail.

• MFA bypass through legacy protocols is removed.

• All authentication attempts are forced through modern authentication paths.

• Conditional Access enforcement becomes consistent.

Blocking legacy authentication does not stop credential theft, but it ensures your MFA and risk-based policies cannot be bypassed through outdated protocols. If you are building resilience into your Entra ID design, this is the first control that should be enforced.

Next post: The MFA Baseline