Skip to content
    August 9, 2022

    Detecting Microsoft Legacy Authentication with Blumira

    Starting in October 2022, Microsoft will start deprecating legacy and basic authentication, even if it is still in use. This change was originally announced in 2019 and was planned to take place in 2020. Due to the changing business environment brought on by COVID-19, Microsoft delayed the retirement of legacy authentication protocols.

    With Blumira’s new global report, “Microsoft 365: Legacy Authentication,” customers can quickly and easily detect instances of legacy authentication being used in their environments.

    Legacy vs. Modern Authentication

    Legacy and basic authentication rely solely on username and password, as opposed to additional forms of authentication. Legacy authentication protocols include IMAP4, POP3, and EWS, EAS, and Remote PowerShell. 

    Systems that use legacy authentication often include document scanners, voicemail-to-email bridges, and other systems that integrate with email. For example, older versions of Cisco Unified Communications systems offer email integration and contact list integration, with no option other than legacy auth. Organizations can update firmware to get more modern support, but there may be licensing concerns that limit the ability to have access to firmware updates. There are many other products like this still in common use, that either need firmware updates, software updates, or simply lack the ability to function without use of legacy auth.

    Modern authentication, on the other hand, is any protocol that supports multi-factor authentication (MFA). This includes ADAL and OAuth. With modern authentication, users authenticate with a web dialogue belonging to your identity provider, such as Azure AD, rather than one owned by the OS or application. 

    Modern authentication is proven to be much more effective against threats such as ransomware. Attackers target accounts that rely on legacy authentication to Microsoft 365 10x more than those using modern authentication, an Okta report found.

    Microsoft’s deprecation of legacy authentication will force organizations to adopt MFA in an effort to reduce overall risk and prevent cyberattacks. 

    How To Detect Legacy Authentication With Blumira

    Recently, Blumira’s Incident Detection and Engineering team built a report to look for Azure Active Directory authentication events using legacy authentication protocols. All administrators should be reviewing these reports on a regular basis to see what usernames are still using legacy authentication. 

    To access the report that we have added, simply log into Blumira (app.blumira.com) and navigate to Reporting > Report Builder. Select the menu to the right of the Submit button, and search for “legacy.” Select the Microsoft 365: Legacy Authentication option. 

    All Blumira customers, including Blumira Free customers, have access to this global report to detect remaining use of legacy auth in Microsoft 365. As long as Microsoft 365 logs are being sent to Blumira, and auditing is enabled in Microsoft 365, you can use this report to proactively look for legacy auth issues.

    Customers of paid editions of Blumira, including MSPs with an NFR account, can also set up scheduled reports to automatically send the contents of the Legacy Authentication report.

    Get Ahead Of Microsoft’s Legacy Auth Changes

    Once Microsoft starts to shut off legacy authentication, components of this report will most likely break. Focus on the User column and try to associate all the logins with specific applications, devices, or cloud services. 

    A look at the Legacy Authentication report in Blumira.

    Make a list of all the confirmed or suspected sources of these logins, and work on each item on the list. Re-run the report with a short interval (less than 7 days) and check for remaining or new legacy auth logins. Ultimately, your goal should be to have an empty report.

    Now is the time to start working on this, so you have time to gracefully fix these issues before October comes and things just break. Speaking from (lots of) experience, some of the things you will find are not easy fixes. There are still a lot of hardware and software products out there that only work with legacy auth. With a few months’ head start, MSPs can have these discussions with their customers and help them get a plan in place to continue to function without legacy auth.

    References:

    Chris Furner

    Chris joined Blumira after spending more than 7 years at Worksighted, an 85-employee MSP. As a security engineer and consultant, Chris spent several years building security programs for customers, analyzing threats and performing incident response. In the process, he developed a deep understanding of the unique needs...

    More from the blog

    View All Posts