Home
%3CLINGO-SUB%20id%3D%22lingo-sub-377326%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-377326%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302270%22%20target%3D%22_blank%22%3E%40AndresCanello%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20offer.%20Yes%2C%20we%20disabled%20basic%20authentication%20across%20EXO%20for%20all%20users%20last%20November.%20It's%20the%20one%20and%20only%20authentication%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%2C%20see%2C%20however%2C%20in%20the%20latest%20AAD%20logs%2C%20that%20there%20hasn't%20been%20an%20IMAP%20%22%3CSPAN%3EAccount%20is%20locked%20because%20user%20tried%20to%20sign%20in%20too%20many%20times%20with%20an%20incorrect%20user%20ID%20or%20password%22%20since%20March%203rd%2C%20so%20it's%20possible%20that%20it%20finally%20stopped.%26nbsp%3B%20It%20has%20died%20down%20before%2C%20but%20never%20for%20this%20long.%20So%2C%20unless%20you%20still%20want%20to%20take%20a%20look%20at%20things%2C%20maybe%20it's%20just%20best%20to%20sit%20tight%20for%20now%20and%20see%20if%20it%20truly%20has%20stopped.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-375861%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-375861%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285725%22%20target%3D%22_blank%22%3E%40ajc196%3C%2FA%3E%26nbsp%3B%20great%2C%20for%20the%20best%20protection%2C%20consider%20disabling%20Exchange%20protocols%20using%20Authentication%20Policies%20instead%20of%20set-casmailbox.%20Auth%20Policies%20let%20you%20do%20it%20per-mailbox%2C%20per-protocol%20and%20for%20the%20entire%20org%20as%20well.%20See%20my%20other%20comment%20about%20processing%20order%20in%20the%20auth%20flow.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-375860%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-375860%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F301872%22%20target%3D%22_blank%22%3E%40Cyphel%3C%2FA%3E%26nbsp%3B%20We've%20heard%20that%20feedback%20and%20we%20are%20working%20on%20a%20solution.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F194066%22%20target%3D%22_blank%22%3E%40Loren%20Bain%3C%2FA%3E%26nbsp%3BConditional%20Access%20policies%20are%20evaluated%2Fapplied%20only%20after%20authentication%20(i.e.%3A%20after%20the%20attacker%20gets%20an%20opportunity%20to%20try%20passwords%20at%20your%20AD%20FS)%2C%20same%20for%20disabling%20protocols%20at%20the%20mailbox%20level%20(set-casmailbox)%20and%20CAR%20(client%20access%20rules).%20This%20is%20why%20we%20recommend%20disabling%20basic%20auth%20with%20Authentication%20Policies%2C%20that%20way%20Exchange%20just%20ignores%20the%20auth%20request.%20I%20have%20put%20together%20the%20following%20slides%20to%20walk%20customers%20through%20an%20attack%20and%20what%20controls%20are%20applied%20and%20especially%20%3CSTRONG%3Ewhen%3C%2FSTRONG%3E%20in%20the%20auth%20flow.%20Check%20them%20out%20(we%20are%20looking%20into%20publishing%20these%20in%20our%20documentation)%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.slideshare.net%2FAndresCanello%2Fazure-ad-password-attacks-logging-and-protections%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.slideshare.net%2FAndresCanello%2Fazure-ad-password-attacks-logging-and-protections%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-375858%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-375858%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314%22%20target%3D%22_blank%22%3E%40Brian%20.%3C%2FA%3E%26nbsp%3B%20If%20you%20have%20blocked%20basic%20auth%20in%20EXO%20and%20allowed%20for%20some%20time%20for%20the%20policy%20to%20apply%20and%20still%20see%20unsuccessful%20sign%20ins%20for%20that%20user%2Fprotocol%2C%20send%20me%20an%20email%20at%20andres.canello%40ms%20and%20I'll%20check%20for%20you.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-375704%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-375704%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20came%20up%20with%20a%20unique%20approach%20in%20our%20org.%20We%20don't%20use%20O365%2FAAD%20MFA%2C%20but%20rather%20Duo%20with%20a%20Conditional%20Access%20custom%20control.%20Due%20to%20this%2C%20we%20don't%20get%20app%20password%20capability%2C%20and%20legacy%20protocols%20are%20not%20inherently%20blocked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20we%20do%20is%20that%20we've%20written%20our%20Conditional%20Access%20policies%20to%20only%20allow%20legacy%20protocols%20on%20our%20corporate%20network.%20Connections%20via%20legacy%20protocols%20from%20anywhere%20else%20get%20blocked.%20(And%20of%20course%2C%20our%20Duo%20custom%20control%20is%20enforced%20on%20users%20and%20Modern%20Auth%20aware%20clients)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIMAP%2FPOP%2FActiveSync%20are%20all%20disabled%20by%20default%20in%20Exchange%20Online.%20If%20someone%20needs%20IMAP%20access%2C%20we%20simply%20enable%20it%20on%20the%20mailbox%2C%20and%20let%20the%20user%20know%20that%20they%20must%20be%20on-site%20or%20on%20our%20VPN.%20(Which%20is%20also%20Duo-protected)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20lets%20us%20prevent%20unauthorized%20access%20via%20legacy%20protocols%2C%20but%20still%20let%20users%20cling%20to%20Thunderbird%20if%20they%20just%20really%2C%20really%20don't%20want%20to%20join%20the%20rest%20of%20us%20in%20the%2021st%20century.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-375674%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-375674%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20federated%20with%20AD%20FS%20we%20find%20that%20the%20conditional%20access%20policy%20blocks%20the%20request%20after%20the%20WS-Trust%20authentication%20to%20AS%20FS%20so%20that%20lockouts%20are%20still%20a%20problem.%20%26nbsp%3BMostly%20coming%20in%20as%20SMTP%20and%20IMAP%20requests%20through%20Exchange%20Online.%20%26nbsp%3BEven%20disabling%20these%20protocols%20on%20exchange%20online%20is%20evaluated%20after%20the%20authentication.%20%26nbsp%3BADFS%20extranet%20lockout%20was%20the%20only%20thing%20that%20helped%20us%20out%20with%20that.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-372428%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-372428%22%20slang%3D%22en-US%22%3E%3CP%3EAnd%20for%20customers%20that%20don't%20have%20Azure%20AD%20premium%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-370670%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-370670%22%20slang%3D%22en-US%22%3E%3CP%3ERelative%20to%20the%20approach%20described%20in%20your%20last%20paragraph%2C%20particularly%20%22%3CSPAN%3EThe%20protocol%20connection%20is%20denied%20before%20checking%20the%20credentials%20against%20Azure%20AD%2C%22%20is%20there%20any%20way%20to%20explain%20this%20ongoing%20mystery%3F%26nbsp%3B%20If%20the%20%22attackers%20don%E2%80%99t%20even%20get%20to%20try%20to%20use%20passwords%2C%22%20why%20are%20lockouts%20still%20occurring%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2FOfficeDocs-Exchange%2Fissues%2F339%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoftDocs%2FOfficeDocs-Exchange%2Fissues%2F339%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-454628%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-454628%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20statement%20still%20apply%20today%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconditional-access-for-exo-and-spo%23what-you-need-to-know%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconditional-access-for-exo-and-spo%23what-you-need-to-know%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CEM%3EWhen%20a%20client%20app%20can%20use%20a%20legacy%20authentication%20protocol%20to%20access%20a%20cloud%20app%2C%20Azure%20AD%20cannot%20enforce%20a%20conditional%20access%20policy%20on%20this%20access%20attempt.%20To%20prevent%20a%20client%20app%20from%20bypassing%20the%20enforcement%20of%20policies%2C%20you%20should%20check%20whether%20it%20is%20possible%20to%20only%20enable%20modern%20authentication%20on%20the%20affected%20cloud%20apps.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETherefore%20in%20order%20for%20any%20type%20of%20conditional%20access%20policy%20to%20be%20evaluated%20the%20client%20must%20support%20modern%20authentication....%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-459635%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-459635%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302270%22%20target%3D%22_blank%22%3E%40AndresCanello%3C%2FA%3E%26nbsp%3B%22%3CSPAN%3EWe've%20heard%20that%20feedback%20and%20we%20are%20working%20on%20a%20solution.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20updates%20on%20this%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECustomers%20that%20don't%20have%20Azure%20AD%20premium%20still%20need%20to%20take%20care%20of%20this.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-464638%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-464638%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130832%22%20target%3D%22_blank%22%3E%40Sean%20Stark%3C%2FA%3E%26nbsp%3BGood%20pick%20up.%20That%20article%20contains%20old%20info%20and%20we%20are%20taking%20it%20down.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F292877%22%20target%3D%22_blank%22%3E%40anon_%3C%2FA%3E%26nbsp%3BWe%20are%20working%20on%20it%2C%20stay%20tuned!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-467032%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-467032%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20in%20case%20it's%20overlooked%2C%20since%20it's%20only%20mentioned%20at%20the%20end%20of%20the%20article%2C%20this%20method%20doesn't%20require%20Premium%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-468010%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-468010%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314%22%20target%3D%22_blank%22%3E%40Brian%20.%3C%2FA%3E%26nbsp%3B%20W%3CSPAN%3Ee%20added%20the%20ability%20to%20block%20legacy%20authentication%20in%20conditional%20access%20and%20so%20we%20recommend%20you%20start%20here%20first..%20You%20will%20require%26nbsp%3BAzure%20AD%20P1%20license%20to%20leverage%20conditional%26nbsp%3Baccess%20witch%20will%20give%20you%20flexibility%20to%20support%20users%20or%20apps%20that%20still%20need%20to%20use%20protocols%20with%20legacy%20authentication%20and%20can%20block%20the%20rest.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302270%22%20target%3D%22_blank%22%3E%40AndresCanello%3C%2FA%3E%26nbsp%3B%20has%20suggested%20some%20other%20scenarios%20in%20the%20post%20that%20you%20may%20want%20to%20look%20based%20on%20your%20environment%20setup%20where%20you%20may%20not%20require%20Azure%20ADP%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-582912%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-582912%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20not%20possible%20to%20have%20a%20report%20that%20tells%20me%20all%20the%20legacy%20auth%20for%20a%20period%20of%20time%3F%20I've%20tried%20looking%20at%20the%20logs%20for%20200%2C000%20sign-ins%20a%20day%20and%20it's%20difficult%20to%20get%20the%20detail%20required.%20For%20example%2C%26nbsp%3BOther%20clients%3B%20Older%20Office%20clients%20lists%26nbsp%3BMicrosoft%20Office%2015.0%2C%20I%20assume%20that's%20not%20Legacy%20Auth%3F%20How%20about%3A%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3EAndroid-Mail%202019.04.14%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ECalendarAgent%20316.1%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ECalendarAgent%20361.2%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ECalendarAgent%20399.2%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ECalendarAgent%20416.4%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ECalendarAgent%20416.5%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3Eclview.exe%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EExchangeWebServices%20287.1%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EExchangeWebServices%20287.4%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EExchangeWebServices%205.0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EExchangeWebServices%206.0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EExchangeWebServices%207.2%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3Egroove.exe%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3Elync.exe%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%200.0.0.150830%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2014.5.9.151119%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2014.6.0.151221%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2014.7.2.170228%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2014.7.3.170325%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2014.7.7.170905%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2015.30.0.170107%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2015.31.0.170216%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2015.33.0.170409%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2016.10.0.180210%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2016.16.9.190412%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2016.20.0.181208%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2016.24.0.190414%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2016.25.0.190512%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMacOutlook%2016.8.0.171210%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMicrosoft%20Office%2014.0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMicrosoft%20Office%2015.0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EMicrosoft%20Office%2016.0%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EPython%20Requests%202.18%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3Esearchprotocolhost.exe%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-583132%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-583132%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20extracted%20the%20%22Other%20Clients%22%20sign-in%20events%20for%20the%20past%2030%20days%20and%26nbsp%3Bhave%20a%20few%20questions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20%22Other%20Clients%3B%26nbsp%3BMAPI%22%3A%20We%20see%26nbsp%3Ba%20large%20amount%20of%20Office%202016%20clients%20doing%20Legacy%20Auth%20which%20is%20odd%20as%20ADAL%20is%20supposed%20to%20be%20enabled%20by%20default%3F%20How%20can%20Outlook%202016%20clients%20still%20do%20Legacy%20Auth%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20%22Other%20Clients%22%20%26amp%3B%20%22Other%20Clients%3B%20Older%20Office%20Clients%22%3A%20There%20is%20no%20significant%20details%20to%20classify%20what%20has%20been%20attempted%20exactly%3F%20No%20Browser%20or%20OS%20info%20or%20ResourceDisplayName%E2%80%A6%20we%20only%20have%20some%20different%20AppID%20which%20are%20unknown%20to%20us!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Is%20there%20any%20documentation%20on%20these%20AppID%2C%20I%20checked%20on%20our%20tenant%20and%20they%20are%20unknown%3F%3C%2FP%3E%3CUL%3E%3CLI%3Edcdaf69a-8ab6-4fea-9731-6c5a5d54d151%3C%2FLI%3E%3CLI%3Ed176f6e7-38e5-40c9-8a78-3998aab820e7%3C%2FLI%3E%3CLI%3Ea039b054-9847-48fb-824b-1c5b848953e0%3C%2FLI%3E%3CLI%3E597cf567-d52d-4c00-aca6-b2126beb3fa1%3C%2FLI%3E%3CLI%3E4e31c259-4969-4c6a-9e94-64c5c9536c29%3C%2FLI%3E%3CLI%3Ebfc44fc5-2fe3-4d02-98ec-1e5967475f68%3C%2FLI%3E%3CLI%3Edcdaf69a-8ab6-4fea-9731-6c5a5d54d151%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20for%20your%20help%20to%20get%20us%20to%20a%20legacy%20auth%20free%20world%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESincerely%2C%3C%2FP%3E%3CP%3ETonino%20Bruno%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-725426%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-725426%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302270%22%20target%3D%22_blank%22%3E%40AndresCanello%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20in%20the%20same%20boat%20as%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193997%22%20target%3D%22_blank%22%3E%40Tonino%20Bruno%3C%2FA%3E%26nbsp%3B.%20We%20have%20MAC%20Outlook%202016%20users%20who%20are%20getting%20blocked%20when%20we%20apply%20the%20%22block%20legacy%20CA%20policy%22%20to%20them.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20when%20looking%20at%20the%20logs%20for%20all%20older%20office%20clients%2C%20it%20doesn't%20provide%20us%20any%20details%20on%20the%20app.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20exactly%20is%20this%20App%20ID%20-%26nbsp%3B%3CSPAN%3Ebfc44fc5-2fe3-4d02-98ec-1e5967475f68%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-736625%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736625%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20also%20experiencing%20a%20similar%20issue%20with%20what%20appear%20to%20be%20Office%202016%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20intend%20to%20implement%20a%20Conditional%20Access%20rule%20to%20Block%20Legacy%20Auth%20but%20I'll%20have%20to%20make%20exception%20for%20the%20handful%20of%20old%20Office%202010%20clients%20that%20are%20authenticating%20to%20365%20until%20we%20can%20engineer%20them%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20have%20quite%20a%20few%20(about%205%25)%20of%20users%20who%20are%20displaying%20a%20Legacy%20Authentication%20where%20the%20Application%20Name%20shows%20in%20the%20Sign-In%20Logs%20as%20%22Microsoft%20Office%202016%22%20or%20blank%20with%20%22%3CSPAN%3Ebfc44fc5-2fe3-4d02-98ec-1e5967475f68%22%20as%20the%20App%20ID!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20clues%20as%20to%20why%20this%20is%20would%20be%20welcome.%20Currently%20I'm%20intending%20to%20implement%20the%20policy%20with%20all%20these%20in%20an%20exceptions%20group%20but%20strategically%20miss%20one%20or%20two%20out%20and%20see%20what%20the%20issue%20is%20when%20they%20report%20a%20problem...basically%20cutting%20the%20wire%20to%20see%20what%20goes%20off!!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20I%20find%20anything%20I'll%20let%20you%20know.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EAndy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-737284%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-737284%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20having%20similar%20behavior%20to%20the%20people%20above%20me.%20We%20have%20been%20using%20Modern%20Auth%20with%20a%20Conditional%20Access%20Policy%20that%20integrates%20Duo%202FA.%20When%20enabling%20the%20preview%20policy%20to%20disable%20legacy%20auth%2C%20about%205%25%20of%20users%20are%20unable%20to%20authenticate%20through%20any%20Office365%20bundled%20applications%20(Teams%20works%20fine%2C%20Web%20works%20fine).%20I%20did%20troubleshooting%20with%20one%20user%20and%20even%20with%20a%20freshly%20installed%20Office%20365%20Pro%20Plus%20(used%20the%20cleanup%20tool%20to%20uninstall%20and%20then%20restart%20and%20reinstall)%20it%20still%20fails%20to%20authenticate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20951px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122120i57E2A08A2B4F1F52%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%221.png%22%20title%3D%221.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EBasic%20Info%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20248px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122121i7C6124B300EA07A5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222.png%22%20title%3D%222.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EDevice%20Info%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122122i9527E8D815D96450%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%223.png%22%20title%3D%223.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EConditional%20Access%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-746933%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-746933%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F312945%22%20target%3D%22_blank%22%3E%40Kane316%3C%2FA%3EThe%20issue%20with%20the%20failing%20Office%202016%20on%20the%20Mac%20is%20likely%20due%20to%20the%20authentication%20profile%20which%20was%20not%20automatically%20converted%20from%20legacy%20to%20modern.%20To%20solve%20this%20you%20only%20need%20to%20re-add%20the%20account%20via%3C%2FP%3E%3COL%3E%3CLI%3EClick%20Outlook%20in%20the%20top%20ribbon%20and%20select%20Preferences%3C%2FLI%3E%3CLI%3EChoose%20Accounts%3C%2FLI%3E%3CLI%3EIn%20the%20bottom%20left%20click%20the%20%2B%20(plus)%20button%3C%2FLI%3E%3CLI%3ESelect%20New%20Account%3C%2FLI%3E%3CLI%3EEnter%20your%20email%20address%20and%20click%20continue%3C%2FLI%3E%3CLI%3EYou%20might%20be%20prompted%20for%20a%20password%2C%20once%20it%20had%20added%20the%20account%20click%20done%3C%2FLI%3E%3CLI%3ETo%20delete%20the%20old%20account%20select%20it%20from%20the%20accounts%20menu%20and%20click%20the%20-%20(minus)%20and%20click%20delete.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-748609%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-748609%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%20seeing%20other%2Folder%20office%20clients%20authenticating%20with%20Application%20ID%20bfc44fc5-2fe3-4d02-98ec-1e5967475f68.%20What%20is%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369725%22%20slang%3D%22en-US%22%3EAzure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369725%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20there%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20Andres%20Canello%20from%20the%20Azure%20AD%20Get-to-Production%20team.%20I'm%20a%20long%20time%20Exchange%20guy%20now%20working%20on%20Identity.%20I%20am%20very%20passionate%20about%20helping%20customers%20prevent%20password-based%20attacks%20and%20it%20is%20a%20major%20topic%20of%20concern%20from%20customers.%20Legacy%20authentication%20is%20a%20key%20part%20of%20these%20conversations%20because%20these%20protocols%20and%20clients%20are%20commonly%20used%20to%20perform%20brute-force%20or%20password%20spray%20attacks.%20In%20this%20post%2C%20I%20will%20talk%20about%20the%20challenges%20with%20legacy%20authentication%20and%20how%20you%20can%20use%20Azure%20AD%20and%20Microsoft%20Exchange%20Online%20to%20get%20better%20access%20control.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EQ1%3A%20What%20is%20%22legacy%20authentication%22%20and%20what's%20wrong%20with%20it%3F%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EGenerally%20speaking%2C%20legacy%20authentication%20refers%20to%20protocols%20that%20use%20basic%20authentication%20(Basic%20Auth)%3B%20they%20only%20require%20a%20single%20factor%20authentication%20of%20username%20and%20password%20and%20typically%20cannot%20enforce%20a%20second%20factor%20as%20part%20of%20the%20authentication%20flow.%20On%20the%20other%20hand%2C%20modern%20authentication%20(Modern%20Auth)%20can%20require%20second%20factor%20authentication%2C%20usually%20the%20app%20or%20service%20will%20pop%20up%20a%20browser%20frame%20so%20the%20user%20can%20perform%20whatever%20is%20required%20as%20a%20second%20factor.%20This%20can%20be%20entering%20a%20one-time%20code%2C%20approving%20a%20push%20notification%20on%20the%20phone%2C%20or%20answering%20a%20phone%20call.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20key%20difference%20is%20that%20in%20a%20legacy%20authentication%20pattern%2C%20the%20client%20app%20or%20service%20collects%20credentials%20and%20then%20validates%20them%20against%20an%20authority.%20Essentially%2C%20the%20app%20or%20service%20is%20trusted%20to%20handle%20credentials%20in%20a%20secure%20way.%20In%20modern%20authentication%2C%20however%2C%20credentials%20are%20only%20provided%20to%20a%20trusted%20authority%20(i.e.%20a%20redirect%20to%20Azure%20AD%20or%20AD%20Federation%20Services)%20and%20after%20authentication%20a%20token%20is%20issued%20for%20the%20application%20or%20service%20to%20act%20on%20a%20user%E2%80%99s%20behalf.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExamples%20of%20protocols%20that%20use%20legacy%20authentication%20are%20POP3%2C%20IMAP4%2C%20and%20SMTP.%20There%20are%20other%20protocols%20that%20use%20Basic%20Auth%20and%20Modern%20Auth%20such%20as%20MAPI%20and%20EWS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%2C%20what's%20the%20problem%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESingle%20factor%20authentication%20is%20not%20enough%20these%20days%20to%20remain%20secure!%20Passwords%20are%20weak%20as%20they%20are%20easy%20to%20guess%20and%20we%20(humans)%20are%20bad%20at%20choosing%20strong%20passwords%3B%20we%20tend%20to%20just%20give%20them%20to%20attackers%20(i.e%20phishing).%20One%20of%20the%20easiest%20things%20that%20can%20be%20done%20to%20protect%20against%20password%20threats%20is%20implementing%20multi-factor%20authentication%20(MFA).%20So%20even%20if%20an%20attacker%20gets%20in%20possession%20of%20a%20user's%20password%2C%20the%20password%20alone%20is%20not%20enough%20to%20successfully%20authenticate%20and%20access%20data%20and%20resources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EProtocols%20that%20use%20legacy%20authentication%2C%20especially%20the%20ones%20that%20are%20used%20to%20retrieve%20emails%20like%20POP3%2C%20IMAP%20and%20EWS%20are%20very%20popular%20ways%20to%20perform%20password%20brute-force%20and%20password%20spray%20attacks%20because%20if%20one%20of%20the%20username%20and%20password%20combinations%20is%20right%2C%20the%20attacker%20will%20typically%20get%20access%20to%20the%20user's%20emails.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EQ2%3A%20Ok%2C%20what%20do%20I%20do%20with%20these%20protocols%20then%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20recommendation%20is%20to%20block%20legacy%20authentication%2C%20or%20if%20you%20have%20exceptions%20where%20you%20need%20to%20allow%20their%20use%2C%20apply%20some%20controls%20that%20only%20allow%20them%20for%20specific%20users%20and%20locations.%20Before%20you%20do%20that%2C%20and%20because%20I%20don't%20want%20you%20to%20get%20a%20thousand%20calls%20to%20your%20Help%20Desk%2C%20you%20should%20start%20by%20understanding%20their%20usage%20in%20your%20organization.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELast%20year%2C%20we%20made%20a%20few%20improvements%20to%20the%20sign-in%20logs%20in%20Azure%20AD%2C%20so%20now%20you%20get%20events%20a%20lot%20quicker%20and%20you%20get%20more%20info%20for%20each%20event.%20Part%20of%20this%20info%20is%20the%20Client%20App%20property%2C%20where%20we%20tell%20you%20the%20protocol%2Fapp%20that%20was%20used%20to%20perform%20the%20sign-in.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20875px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F89230i35D351CE1EF711D1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Mailbag1.png%22%20title%3D%22Mailbag1.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EHere%20is%20a%20snapshot%20from%20the%20Azure%20AD%20Portal%2C%20Sign-in%20logs%20with%20the%20added%20as%20a%20column%20and%20filter%20option.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20first%20thing%20you%20need%20to%20do%20is%20to%20spend%20some%20time%20analyzing%20the%20logs%20to%20understand%20the%20usage%20of%20these%20clients%20and%20protocols%20across%20your%20organization.%20To%20do%20this%2C%20you%20might%20want%20to%20download%20the%20logs%20to%20be%20able%20to%20slice%20and%20dice%20them%20with%20Microsoft%20Excel%2C%20or%20even%20better%2C%20you%20might%20want%20to%20pull%20them%20into%20your%20security%20information%20and%20event%20management%20(SIEM)%20system%2C%20which%20might%20give%20you%20some%20more%20powerful%20data%20analysis%20capabilities%20and%20alerting.%20To%20understand%20how%20you%20can%20get%20the%20logs%20into%20your%20SIEM%2C%20you%20should%20have%20a%20look%20at%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FAzure-AD-Mailbag-Return-Of-The-Mailbag-with-Azure-AD-Logs%2Fba-p%2F358499%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ethis%20post%3C%2FA%3E.%20Once%20you%20understand%20who%20is%20using%20what%2C%20you%20might%20need%20to%20upgrade%20clients%20to%20versions%20that%20support%20Modern%20Auth%20or%20convince%20people%20to%20stop%20using%20protocols%20like%20IMAP4%20and%20welcome%20them%20to%20this%20century.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EQ3%3A%20Alright%2C%20I'm%20ready%20to%20enforce%20some%20control%20here%2C%20how%20do%20I%20do%20it%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EUntil%20last%20year%2C%20there%20were%20two%20ways%20of%20blocking%20legacy%20authentication%20in%20Azure%20AD%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIn%20federated%20environments%20(i.e.%20using%20AD%20FS)%2C%20you%20could%20use%20claim%20rules%20to%20allow%20certain%20protocols%20and%20deny%20access%20to%20the%20rest.%20This%20gets%20messy%20when%20you%20need%20to%20start%20adding%20conditions%20and%20exceptions.%3C%2FLI%3E%0A%3CLI%3EEnforcing%20MFA%20per%20user%20will%20force%20users%20to%20use%20app%20passwords%20for%20legacy%20authentication%20protocols%2C%20however%2C%20if%20you%20disallow%20its%20use%2C%20you%20effectively%20block%20these%20protocols.%20The%20bad%20news%20here%20is%20that%20you%20can't%20apply%20any%20conditions%2C%20it's%20all%20or%20nothing.%20Also%2C%20enforcing%20MFA%20per%20user%20is%20not%20really%20the%20way%20we%20recommend%20doing%20it%20these%20days%20%E2%80%93%20conditional%20access%20gives%20you%20more%20flexibility.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ELast%20year%2C%20we%20added%20the%20ability%20to%20block%20legacy%20authentication%20in%20conditional%20access%20and%20so%20we%20recommend%20you%20start%20here%20first.%20With%20conditional%20access%20you%20gain%20flexibility%20to%20support%20users%20or%20apps%20that%20still%20need%20to%20use%20protocols%20with%20legacy%20authentication%20and%20can%20block%20the%20rest.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20if%20you%20have%20an%20app%20supporting%20a%20business%20process%20that%20uses%20IMAP%20to%20retrieve%20email%20from%20an%20MS%20Exchange%20Online%20mailbox%2C%20you%20can%20use%20conditional%20access%20to%20allow%20that%20flow%20only%20for%20that%20user%20if%20the%20source%20IP%20is%20one%20of%20your%20IPs%2C%20and%20block%20every%20other%20attempt.%20%3CSPAN%3ERead%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fblock-legacy-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehow%20to%20use%20conditional%20access%20to%20block%20legacy%20authentication%3C%2FA%3E%20to%20learn%20more.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20922px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F89231iD9F777DC1EBEDA0E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22mailbag2.png%22%20title%3D%22mailbag2.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EHere%20is%20the%20new%20Client%20App%20condition%20that%20allows%20you%20to%20target%20Other%20Clients%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESomething%20that%20has%20created%20some%20confusion%20is%20that%20conditional%20access%20policies%20don't%20include%20legacy%20authentication%20clients%20by%20default%2C%20this%20means%20that%20if%20you%20have%20a%20conditional%20access%20policy%20enforcing%20MFA%20for%20all%20users%20and%20all%20cloud%20apps%2C%20it%20doesn't%20block%20legacy%20authentication%20clients%20(or%20%22Other%20clients%22%2C%20as%20the%20CA%20UI%20refers%20to%20them).%20Legacy%20authentication%20clients%20can%20still%20authenticate%20with%20only%20username%20and%20password.%20To%20block%20legacy%20authentication%2C%20just%20create%20a%20new%20policy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20way%20to%20block%20legacy%20authentication%20is%20blocking%20it%20service-side%20or%20resource-side%20(versus%20at%20the%20authentication%20platform).%20We%20also%20recommend%20this%20approach%20if%20combined%20with%20an%20Azure%20AD%20Conditional%20Access%20policy.%20For%20example%2C%20in%20MS%20Exchange%20Online%2C%20you%20could%20disable%20POP3%20or%20IMAP%20for%20the%20user.%20The%20problem%20with%20this%20is%20that%20you%20don't%20want%20to%20block%20protocols%20that%20can%20do%20legacy%20and%20modern%20authentication%20(i.e%20EWS%2C%20MAPI)%20as%20you%20most%20likely%20still%20need%20them.%20To%20help%20with%20this%2C%20MS%20Exchange%20Online%20released%20a%20new%20feature%20called%20authentication%20policies%20which%20you%20can%20use%20to%20block%20legacy%20authentication%20per%20protocol%20for%20specific%20users%20or%20for%20the%20entire%20organization.%20I%20like%20this%20because%20with%20this%20approach%2C%20you%20are%20blocking%20the%20attempt%20to%20use%20the%20protocol%20at%20the%20very%20beginning%20meaning%20that%20attackers%20don%E2%80%99t%20even%20get%20to%20try%20to%20use%20passwords.%20The%20protocol%20connection%20is%20denied%20before%20checking%20the%20credentials%20against%20Azure%20AD%20or%20AD%20Federation%20Services%2C%20so%20the%20enforcement%20is%20done%20pre-authentication.%20Conditional%20access%20policies%20are%20evaluated%20after%20the%20user%20(or%20attacker)%20has%20authenticated%2C%20so%20the%20enforcement%20is%20done%20post-authentication.%20Read%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EExchange%20Online%20Authentication%20Policies%20documentation%3C%2FA%3E%20for%20more%20info.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20any%20questions%20you%20can%20reach%20us%20at%20AskAzureADBlog%40microsoft.com%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory%2Fct-p%2FAzureActiveDirectory%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ETech%20Communities%3C%2FA%3E%20or%20on%20Twitter%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAzureAD%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40AzureAD%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fmarkmorow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40MarkMorow%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E.%20You%20can%20also%20ask%20questions%20in%20the%20comments%20of%20this%20post.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Andres%20Canello%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-369725%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ELegacy%20authentication%20is%20a%20key%20part%20of%20our%20conversation%20in%20this%20week's%20Azure%20AD%20Mailbag%20series.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-369725%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECustomer%20Partner%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-783786%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-783786%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20seeing%20this%20also.%26nbsp%3B%20(%3CSPAN%3EApplication%20ID%20bfc44fc5-2fe3-4d02-98ec-1e5967475f68).%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20we%20need%20to%20open%20a%20case%20with%20MS%20or%20can%20we%20get%20an%20answer%20here%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-796350%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-796350%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%20thanks%20for%20your%20patience%20on%20this.%3C%2FP%3E%0A%3CP%3Ebfc44fc5-2fe3-4d02-98ec-1e5967475f68%20is%20indeed%20Exchange%20Online.%20We%20made%20a%20change%20recently%20so%20these%20sign%20ins%20show%20up%20as%20the%20Exchange%20Online%26nbsp%3B00000002-0000-0ff1-ce00-000000000000.%20I%20recommend%20looking%20at%20Exchange%20Online's%20logs%20to%20understand%20more%20about%20the%20protocols%20being%20used.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193997%22%20target%3D%22_blank%22%3E%40Tonino%20Bruno%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F312945%22%20target%3D%22_blank%22%3E%40Kane316%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370562%22%20target%3D%22_blank%22%3E%40AndyPointon%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F202090%22%20target%3D%22_blank%22%3E%40Thomas%20Foster%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72446%22%20target%3D%22_blank%22%3E%40Marc%20Laflamme%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8130%22%20target%3D%22_blank%22%3E%40Kevin%20Fletcher%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-797326%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-797326%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302270%22%20target%3D%22_blank%22%3E%40AndresCanello%3C%2FA%3EThank%20you%20for%20the%20explanation%20however%20I'm%20still%20not%20fully%20understanding%20on%20how%20to%20resolve%20these%20connections.%20We%20only%20have%20one%20user%20(incidentally%20myself)%20that%20is%20showing%20successful%20connection%20to%20Office%20365%20Exchange%20Online%20using%20Other%20Clients%20%2F%20Older%20Office%20Clients.%20I%20don't%20have%20anything%20else%20getting%20mail%20on%20my%20system%20other%20than%20Outlook.%20The%20connection%20happens%20every%20day%20at%202%3A23am.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20what%20you%20mean%20by%20checking%20Exchange%20Online's%20logs%20as%20there%20are%20various%20logs%20collected%20from%20EXO%20that%20are%20split%20throughout%20the%20M365%20Admin%20portal.%20According%20to%20the%20Email%20App%20Usage%20report%2C%20my%20account%20only%20uses%20Outlook%20Client%2C%20Mobile%2C%20and%20Web.%20What%20other%20logs%20would%20help%3F%20(The%20Exchange%20Admin%20Portal%20doesn't%20appear%20to%20have%20any%20logs)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEach%20of%20these%20successful%20sign-ins%20on%20the%20Azure%20Sign-Ins%20report%20has%20a%20Correlation%20ID.%20Can%20I%20use%20that%20somehow%20to%20track%20what%20exactly%20is%20happening%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1023798%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1023798%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302270%22%20target%3D%22_blank%22%3E%40AndresCanello%3C%2FA%3E%20thanks%20for%20the%20article.%20Is%20it%20fair%20to%20say%20then%20that%20anything%20preceded%20with%20%22Other%22%20in%20the%20Client%20App%20portion%20of%20the%20sign%20in%20logs%20is%20considered%20basic%20authentication%3F%20Any%20other%20categories%20I%20should%20filter%20for%20when%20hunting%20this%20down%3F%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1029614%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1029614%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F464298%22%20target%3D%22_blank%22%3E%40Mammoth77%3C%2FA%3E%20That%20is%20correct%2C%20log%20entries%20with%20%22Other%22%20are%20legacy%20authentication.%20ActiveSync%20is%20legacy%20auth%20as%20well%2C%20however%20it's%20treated%20as%20an%20special%20case%20because%20we%20can%20apply%20some%20other%20controls%20to%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1030367%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1030367%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302270%22%20target%3D%22_blank%22%3E%40AndresCanello%3C%2FA%3E%26nbsp%3BThank%20you%20very%20much%20for%20the%20response.%20This%20is%20very%20helpful!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1053381%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1053381%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72446%22%20target%3D%22_blank%22%3E%40Marc%20Laflamme%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20ever%20have%20your%20concerns%20answered.%26nbsp%3B%20I%20would%20agree%20with%20what%20you%20are%20describing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F302270%22%20target%3D%22_blank%22%3E%40AndresCanello%3C%2FA%3E%3C%2FP%3E%3CDIV%20class%3D%22lia-message-author-rank%20lia-component-author-rank%20lia-component-message-view-widget-author-rank%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1053459%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Discovering%20and%20blocking%20legacy%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1053459%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8130%22%20target%3D%22_blank%22%3E%40Kevin%20Fletcher%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20since%20reinstalled%20Windows%20on%20the%20offending%20workstation%20however%20I%20have%20not%20had%20a%20chance%20to%20re-evaluate%20the%20legacy%20connection%20report.%20I'll%20check%20it%20out%20and%20reply%20any%20findings.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hey there,

 

I am Andres Canello from the Azure AD Get-to-Production team. I'm a long time Exchange guy now working on Identity. I am very passionate about helping customers prevent password-based attacks and it is a major topic of concern from customers. Legacy authentication is a key part of these conversations because these protocols and clients are commonly used to perform brute-force or password spray attacks. In this post, I will talk about the challenges with legacy authentication and how you can use Azure AD and Microsoft Exchange Online to get better access control.

 

Q1: What is "legacy authentication" and what's wrong with it?

Generally speaking, legacy authentication refers to protocols that use basic authentication (Basic Auth); they only require a single factor authentication of username and password and typically cannot enforce a second factor as part of the authentication flow. On the other hand, modern authentication (Modern Auth) can require second factor authentication, usually the app or service will pop up a browser frame so the user can perform whatever is required as a second factor. This can be entering a one-time code, approving a push notification on the phone, or answering a phone call.

 

Another key difference is that in a legacy authentication pattern, the client app or service collects credentials and then validates them against an authority. Essentially, the app or service is trusted to handle credentials in a secure way. In modern authentication, however, credentials are only provided to a trusted authority (i.e. a redirect to Azure AD or AD Federation Services) and after authentication a token is issued for the application or service to act on a user’s behalf.

 

Examples of protocols that use legacy authentication are POP3, IMAP4, and SMTP. There are other protocols that use Basic Auth and Modern Auth such as MAPI and EWS.

 

So, what's the problem?

 

Single factor authentication is not enough these days to remain secure! Passwords are weak as they are easy to guess and we (humans) are bad at choosing strong passwords; we tend to just give them to attackers (i.e phishing). One of the easiest things that can be done to protect against password threats is implementing multi-factor authentication (MFA). So even if an attacker gets in possession of a user's password, the password alone is not enough to successfully authenticate and access data and resources.

 

Protocols that use legacy authentication, especially the ones that are used to retrieve emails like POP3, IMAP and EWS are very popular ways to perform password brute-force and password spray attacks because if one of the username and password combinations is right, the attacker will typically get access to the user's emails.

 

Q2: Ok, what do I do with these protocols then?

The recommendation is to block legacy authentication, or if you have exceptions where you need to allow their use, apply some controls that only allow them for specific users and locations. Before you do that, and because I don't want you to get a thousand calls to your Help Desk, you should start by understanding their usage in your organization.

 

Last year, we made a few improvements to the sign-in logs in Azure AD, so now you get events a lot quicker and you get more info for each event. Part of this info is the Client App property, where we tell you the protocol/app that was used to perform the sign-in. 

 

Mailbag1.pngHere is a snapshot from the Azure AD Portal, Sign-in logs with the added as a column and filter option.

The first thing you need to do is to spend some time analyzing the logs to understand the usage of these clients and protocols across your organization. To do this, you might want to download the logs to be able to slice and dice them with Microsoft Excel, or even better, you might want to pull them into your security information and event management (SIEM) system, which might give you some more powerful data analysis capabilities and alerting. To understand how you can get the logs into your SIEM, you should have a look at this post. Once you understand who is using what, you might need to upgrade clients to versions that support Modern Auth or convince people to stop using protocols like IMAP4 and welcome them to this century.

 

Q3: Alright, I'm ready to enforce some control here, how do I do it?

Until last year, there were two ways of blocking legacy authentication in Azure AD:

  • In federated environments (i.e. using AD FS), you could use claim rules to allow certain protocols and deny access to the rest. This gets messy when you need to start adding conditions and exceptions.
  • Enforcing MFA per user will force users to use app passwords for legacy authentication protocols, however, if you disallow its use, you effectively block these protocols. The bad news here is that you can't apply any conditions, it's all or nothing. Also, enforcing MFA per user is not really the way we recommend doing it these days – conditional access gives you more flexibility.

Last year, we added the ability to block legacy authentication in conditional access and so we recommend you start here first. With conditional access you gain flexibility to support users or apps that still need to use protocols with legacy authentication and can block the rest.

 

For example, if you have an app supporting a business process that uses IMAP to retrieve email from an MS Exchange Online mailbox, you can use conditional access to allow that flow only for that user if the source IP is one of your IPs, and block every other attempt. Read how to use conditional access to block legacy authentication to learn more.

 

 

mailbag2.pngHere is the new Client App condition that allows you to target Other Clients

Something that has created some confusion is that conditional access policies don't include legacy authentication clients by default, this means that if you have a conditional access policy enforcing MFA for all users and all cloud apps, it doesn't block legacy authentication clients (or "Other clients", as the CA UI refers to them). Legacy authentication clients can still authenticate with only username and password. To block legacy authentication, just create a new policy.

 

Another way to block legacy authentication is blocking it service-side or resource-side (versus at the authentication platform). We also recommend this approach if combined with an Azure AD Conditional Access policy. For example, in MS Exchange Online, you could disable POP3 or IMAP for the user. The problem with this is that you don't want to block protocols that can do legacy and modern authentication (i.e EWS, MAPI) as you most likely still need them. To help with this, MS Exchange Online released a new feature called authentication policies which you can use to block legacy authentication per protocol for specific users or for the entire organization. I like this because with this approach, you are blocking the attempt to use the protocol at the very beginning meaning that attackers don’t even get to try to use passwords. The protocol connection is denied before checking the credentials against Azure AD or AD Federation Services, so the enforcement is done pre-authentication. Conditional access policies are evaluated after the user (or attacker) has authenticated, so the enforcement is done post-authentication. Read the Exchange Online Authentication Policies documentation for more info.

 

For any questions you can reach us at AskAzureADBlog@microsoft.com, Tech Communities or on Twitter @AzureAD@MarkMorow and @Alex_A_Simons. You can also ask questions in the comments of this post.

 

-Andres Canello

28 Comments
Contributor

Relative to the approach described in your last paragraph, particularly "The protocol connection is denied before checking the credentials against Azure AD," is there any way to explain this ongoing mystery?  If the "attackers don’t even get to try to use passwords," why are lockouts still occurring?

https://github.com/MicrosoftDocs/OfficeDocs-Exchange/issues/339

Occasional Visitor

And for customers that don't have Azure AD premium? 

Senior Member

When federated with AD FS we find that the conditional access policy blocks the request after the WS-Trust authentication to AS FS so that lockouts are still a problem.  Mostly coming in as SMTP and IMAP requests through Exchange Online.  Even disabling these protocols on exchange online is evaluated after the authentication.  ADFS extranet lockout was the only thing that helped us out with that.  

Senior Member

We came up with a unique approach in our org. We don't use O365/AAD MFA, but rather Duo with a Conditional Access custom control. Due to this, we don't get app password capability, and legacy protocols are not inherently blocked.

 

What we do is that we've written our Conditional Access policies to only allow legacy protocols on our corporate network. Connections via legacy protocols from anywhere else get blocked. (And of course, our Duo custom control is enforced on users and Modern Auth aware clients)

 

IMAP/POP/ActiveSync are all disabled by default in Exchange Online. If someone needs IMAP access, we simply enable it on the mailbox, and let the user know that they must be on-site or on our VPN. (Which is also Duo-protected)

 

This lets us prevent unauthorized access via legacy protocols, but still let users cling to Thunderbird if they just really, really don't want to join the rest of us in the 21st century.

Microsoft

@Brian .  If you have blocked basic auth in EXO and allowed for some time for the policy to apply and still see unsuccessful sign ins for that user/protocol, send me an email at andres.canello@ms and I'll check for you. 

Microsoft

@Cyphel  We've heard that feedback and we are working on a solution.

 

@Loren Bain Conditional Access policies are evaluated/applied only after authentication (i.e.: after the attacker gets an opportunity to try passwords at your AD FS), same for disabling protocols at the mailbox level (set-casmailbox) and CAR (client access rules). This is why we recommend disabling basic auth with Authentication Policies, that way Exchange just ignores the auth request. I have put together the following slides to walk customers through an attack and what controls are applied and especially when in the auth flow. Check them out (we are looking into publishing these in our documentation) https://www.slideshare.net/AndresCanello/azure-ad-password-attacks-logging-and-protections

Microsoft

@ajc196  great, for the best protection, consider disabling Exchange protocols using Authentication Policies instead of set-casmailbox. Auth Policies let you do it per-mailbox, per-protocol and for the entire org as well. See my other comment about processing order in the auth flow.

Contributor

@AndresCanello Thanks for the offer. Yes, we disabled basic authentication across EXO for all users last November. It's the one and only authentication policy.

 

I do, see, however, in the latest AAD logs, that there hasn't been an IMAP "Account is locked because user tried to sign in too many times with an incorrect user ID or password" since March 3rd, so it's possible that it finally stopped.  It has died down before, but never for this long. So, unless you still want to take a look at things, maybe it's just best to sit tight for now and see if it truly has stopped.

Senior Member

Does this statement still apply today?

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditional-access-for-ex...

When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a conditional access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.

 

Therefore in order for any type of conditional access policy to be evaluated the client must support modern authentication.... ?

New Contributor

@AndresCanello "We've heard that feedback and we are working on a solution."

Any updates on this?

Customers that don't have Azure AD premium still need to take care of this.

Thanks.

Microsoft

@Sean Stark Good pick up. That article contains old info and we are taking it down.

 

@anon_ We are working on it, stay tuned!

Contributor

Just in case it's overlooked, since it's only mentioned at the end of the article, this method doesn't require Premium:

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

Microsoft

@Brian .  We added the ability to block legacy authentication in conditional access and so we recommend you start here first.. You will require Azure AD P1 license to leverage conditional access witch will give you flexibility to support users or apps that still need to use protocols with legacy authentication and can block the rest. @AndresCanello  has suggested some other scenarios in the post that you may want to look based on your environment setup where you may not require Azure ADP

Occasional Visitor

Is it not possible to have a report that tells me all the legacy auth for a period of time? I've tried looking at the logs for 200,000 sign-ins a day and it's difficult to get the detail required. For example, Other clients; Older Office clients lists Microsoft Office 15.0, I assume that's not Legacy Auth? How about:

Android-Mail 2019.04.14
CalendarAgent 316.1
CalendarAgent 361.2
CalendarAgent 399.2
CalendarAgent 416.4
CalendarAgent 416.5
clview.exe
ExchangeWebServices 287.1
ExchangeWebServices 287.4
ExchangeWebServices 5.0
ExchangeWebServices 6.0
ExchangeWebServices 7.2
groove.exe
lync.exe
MacOutlook 0.0.0.150830
MacOutlook 14.5.9.151119
MacOutlook 14.6.0.151221
MacOutlook 14.7.2.170228
MacOutlook 14.7.3.170325
MacOutlook 14.7.7.170905
MacOutlook 15.30.0.170107
MacOutlook 15.31.0.170216
MacOutlook 15.33.0.170409
MacOutlook 16.10.0.180210
MacOutlook 16.16.9.190412
MacOutlook 16.20.0.181208
MacOutlook 16.24.0.190414
MacOutlook 16.25.0.190512
MacOutlook 16.8.0.171210
Microsoft Office 14.0
Microsoft Office 15.0
Microsoft Office 16.0
Python Requests 2.18
searchprotocolhost.exe
Senior Member

Hi,

 

I have extracted the "Other Clients" sign-in events for the past 30 days and have a few questions:

 

- "Other Clients; MAPI": We see a large amount of Office 2016 clients doing Legacy Auth which is odd as ADAL is supposed to be enabled by default? How can Outlook 2016 clients still do Legacy Auth?

 

- "Other Clients" & "Other Clients; Older Office Clients": There is no significant details to classify what has been attempted exactly? No Browser or OS info or ResourceDisplayName… we only have some different AppID which are unknown to us!

 

- Is there any documentation on these AppID, I checked on our tenant and they are unknown?

  • dcdaf69a-8ab6-4fea-9731-6c5a5d54d151
  • d176f6e7-38e5-40c9-8a78-3998aab820e7
  • a039b054-9847-48fb-824b-1c5b848953e0
  • 597cf567-d52d-4c00-aca6-b2126beb3fa1
  • 4e31c259-4969-4c6a-9e94-64c5c9536c29
  • bfc44fc5-2fe3-4d02-98ec-1e5967475f68
  • dcdaf69a-8ab6-4fea-9731-6c5a5d54d151

 

Many thanks for your help to get us to a legacy auth free world :)

 

Sincerely,

Tonino Bruno

New Contributor

@AndresCanello 

 

We're in the same boat as @Tonino Bruno . We have MAC Outlook 2016 users who are getting blocked when we apply the "block legacy CA policy" to them. 

 

Also, when looking at the logs for all older office clients, it doesn't provide us any details on the app. 

 

What exactly is this App ID - bfc44fc5-2fe3-4d02-98ec-1e5967475f68?

Occasional Visitor

We're also experiencing a similar issue with what appear to be Office 2016 users.

 

I intend to implement a Conditional Access rule to Block Legacy Auth but I'll have to make exception for the handful of old Office 2010 clients that are authenticating to 365 until we can engineer them out.

 

However, I have quite a few (about 5%) of users who are displaying a Legacy Authentication where the Application Name shows in the Sign-In Logs as "Microsoft Office 2016" or blank with "bfc44fc5-2fe3-4d02-98ec-1e5967475f68" as the App ID!

 

Any clues as to why this is would be welcome. Currently I'm intending to implement the policy with all these in an exceptions group but strategically miss one or two out and see what the issue is when they report a problem...basically cutting the wire to see what goes off!!

 

If I find anything I'll let you know.

Regards,

Andy

Regular Visitor

I'm having similar behavior to the people above me. We have been using Modern Auth with a Conditional Access Policy that integrates Duo 2FA. When enabling the preview policy to disable legacy auth, about 5% of users are unable to authenticate through any Office365 bundled applications (Teams works fine, Web works fine). I did troubleshooting with one user and even with a freshly installed Office 365 Pro Plus (used the cleanup tool to uninstall and then restart and reinstall) it still fails to authenticate.

 

1.pngBasic Info2.pngDevice Info3.pngConditional Access

Established Member

@Kane316The issue with the failing Office 2016 on the Mac is likely due to the authentication profile which was not automatically converted from legacy to modern. To solve this you only need to re-add the account via

  1. Click Outlook in the top ribbon and select Preferences
  2. Choose Accounts
  3. In the bottom left click the + (plus) button
  4. Select New Account
  5. Enter your email address and click continue
  6. You might be prompted for a password, once it had added the account click done
  7. To delete the old account select it from the accounts menu and click the - (minus) and click delete.

  

New Contributor

Also seeing other/older office clients authenticating with Application ID bfc44fc5-2fe3-4d02-98ec-1e5967475f68. What is this?

Senior Member

I'm seeing this also.  (Application ID bfc44fc5-2fe3-4d02-98ec-1e5967475f68).

Do we need to open a case with MS or can we get an answer here?

Microsoft

Hi all, thanks for your patience on this.

bfc44fc5-2fe3-4d02-98ec-1e5967475f68 is indeed Exchange Online. We made a change recently so these sign ins show up as the Exchange Online 00000002-0000-0ff1-ce00-000000000000. I recommend looking at Exchange Online's logs to understand more about the protocols being used.

@Tonino Bruno @Kane316 @AndyPointon @Thomas Foster @Marc Laflamme @Kevin Fletcher 

New Contributor

@AndresCanelloThank you for the explanation however I'm still not fully understanding on how to resolve these connections. We only have one user (incidentally myself) that is showing successful connection to Office 365 Exchange Online using Other Clients / Older Office Clients. I don't have anything else getting mail on my system other than Outlook. The connection happens every day at 2:23am.

 

I don't know what you mean by checking Exchange Online's logs as there are various logs collected from EXO that are split throughout the M365 Admin portal. According to the Email App Usage report, my account only uses Outlook Client, Mobile, and Web. What other logs would help? (The Exchange Admin Portal doesn't appear to have any logs)

 

Each of these successful sign-ins on the Azure Sign-Ins report has a Correlation ID. Can I use that somehow to track what exactly is happening?

Occasional Visitor

@AndresCanello thanks for the article. Is it fair to say then that anything preceded with "Other" in the Client App portion of the sign in logs is considered basic authentication? Any other categories I should filter for when hunting this down? Thank you.

Microsoft

@Mammoth77 That is correct, log entries with "Other" are legacy authentication. ActiveSync is legacy auth as well, however it's treated as an special case because we can apply some other controls to it.

Occasional Visitor

@AndresCanello Thank you very much for the response. This is very helpful!

Senior Member

@Marc Laflamme 

 

Did you ever have your concerns answered.  I would agree with what you are describing.

 

@AndresCanello

 
Occasional Contributor

@Kevin Fletcher 

I've since reinstalled Windows on the offending workstation however I have not had a chance to re-evaluate the legacy connection report. I'll check it out and reply any findings.