MFA is being discontinued?

Steel Contributor

We are new to AD Azure.  We currently have local AD server just for an ERP system that syncs to AD Azure.  All accounts are maintained in AD Azure.  We have already enforced MFA for 100 employees using the method from AD Azure > Users > Multi-Factor Authentication.  We enable user then setup with the user and their phone.

 

From a different issue, the Azure support agent just told me that we're using a "legacy" way of authenticating, that it was his "preferred way" but that it's "less secure than modern authentication", we're "more at risk" and that Microsoft was supposed to stop support for it in October (news to me and I get all the emails).  He said this is now going to end April 2021.  Now panic mode as we just implemented it.

 

He had me go into our tenant settings > Org > Modern Authentication and it is enabled but he said we're not using it.

 

Can someone please help out a newbie here.  Do we have to scrap this entirely and go with a different way to authenticate?  We want to be secure but don't understand why we're allowed to setup something that was supposed to be removed and is not that secure.  We do not have Premium or E licenses.  

 

How else are we to secure our email accounts without doing MFA from Azure?

6 Replies

@luvsqlMy 1st question would be what is your current license for your tenant? are you on P1? perhaps consider upgrading to P1 as with this you can utilize a fairly advanced method of securing your users, things like conditional access policies and a much stricter, customizable MFA will be available to you.
Yes, modern auth should be used as this ensures that legacy auth methods (SMTP, POP) are not being utilized and exposing your tenant/ environment.

"For tenants created before August 1, 2017, modern authentication is turned off by default for Exchange Online and Skype for Business Online." I think this might explain why your ORG is currently using a deprecated auth method.

As per MSFT article "https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-mo..."

You can enable security defaults but then again the MFA method in that option isn't granular as having a P2, P1, or E3 and E3 licenses, consider going through the MSFT docs for the different options and how they can best benefit your ORG.

Check this article out, outlining their roadmap: "https://developer.microsoft.com/en-us/office/blogs/end-of-support-for-basic-authentication-access-to..."

 

 

i am also a new user on this platform, so kindly guide me how to move on with this community my company id is https://uttercoupons.com/ so please guide me

@luvsql 

 

MFA is not being discontinued, legacy authentication is being killed off.  And it was a silent thing in my opinion as well, as my tenant is much older than 2017 but we don't use much M365 stuff, mostly just for office.  Most apps use modern authentication anyways, and yes, you need some form of MFA for it.

 

To see your sign in details for sign-ins using legacy authentication use the reporting under the Azure sign in.  I have premium licenses so I can use Conditional Access to block my legacy auth and ensure modern auth.  I'm sure there is another way but conditional access is also really beneficial to help protect from phishing of passwords and token theft.

 

Read more here: Blocking legacy authentication protocols in Azure AD | Microsoft Docs

@meggerz I checked Azure and the only legacy client app is "Exchange ActiveSync" which is required to be used on all Samsung and iPhones in order to get contacts and calendars sync'd to the native apps (if you use the Outlook mobile app the contacts on show in that app and not the phone's native app).

 

I assume Microsoft will have a solution for this if they kill off ActiveSync?

@luvsql 

 

I'm sure there is a solution.  Calendar and contact syncing to your native apps can be heavily controlled by your MDM, so that could be interfering.

 

If you do not use an MDM I would suggest Enabling and enforcing MFA for an account.  Blow away all of your active sync profiles (Outlook contacts, calendar - these are all 3 separate entities by the sounds of it), and then reconfigure your profile with Modern authentication.  You should be able to sync your calendar and contacts through to the native apps - there is an option in the Outlook profile that you need to enable for it.

 

That being said, I am using InTune and Android Enterprise with the corporate owned devices and work profiles (COPE) on our Samsung devices.  We are seeing a lot of weird behaviour\bugs with the native calendar and contacts being used when the mail profile is configured through Outlook.  Including things like the options to sync the calendar is not there if we setup the Outlook profile the first time we launch the app.  If we open the app, close it, and then open it again and set up the Outlook profile the contacts and calendars sync properly.  Don't forget to look to ensure the sync calendar and sync contacts is an option within the profile, as it isn't on by default.  Again, a lot of these bugs are likely due to the MDM, not Outlook itself.  We're still trying to sort it out ourselves.

 

I still stress that conditional access is also really important to look into that if you license allows.

@meggerz We do use MFA and enforce it on all accounts hence why I was concerned it was being "discontinued." What was happening is when you add the Outlook app then remove the ActiveSync account, all contacts get lost because they are either just on the phone and not syncing or other issues.

 

We do not use any MDM solution because even Microsoft's InTune and Blackberry will NOT allow us to unlock any Android phones or change their PINs/google accounts so even though all are corporately owned devices, we have zero control over that unless we do full wipes and make them work-only phones (which we will NOT do).  We are not a government and having to have fully controlled devices just to use these features is absurd.  

 

So basically an Employee quits and we have to pay Google $85 to unlock their google account.  Ridiculous.