This blog post reviews the essential recommended actions provided by Microsoft 365 Defender Secure Score: Enabling Conditional Access policies to block legacy authentication. Legacy authentication methods, often less secure than modern alternatives, can be a weak link in an organization’s security chain. These older protocols, including SMTP, IMAP, and POP, do not support multi-factor authentication (MFA), making them vulnerable to brute force and password spray attacks. 

Note: “Recommended action” Remediations as identified by “Microsoft 365 admin center Portal (https://portal.microsoft.com) \ Security \ Secure score \ Recommended actions” in a pristine baseline environment.

Rank Recommended action

154 Enable Conditional Access policies to block legacy authentication

Microsoft Security Score

Before Mitigation:

After Mitigation:

Secure Score Improvement: +0.59%

General

Description

Today, most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 don’t support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. Legacy authentication does not support multifactor authentication (MFA). Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols.

Implementation status

You have 6 of 2159 users that don’t have legacy authentication blocked.

User impact

Users accessing apps that don’t support modern authentication will no longer be able to access them with this policy enabled.

Users affected

All of your Microsoft 365 users

Implementation

Prerequisites

You have Microsoft Entra ID Premium P2.

Next steps

  1. We provide step-by-step guidance to select and enable the right method to block legacy authentication for your organization in the Microsoft 365 admin center (part of the MFA wizard). Go to the Microsoft 365 MFA wizard
  2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under “Basic information” in the Microsoft Entra ID Overview.
  3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template
  4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults

Learn more

Block legacy authentication – Microsoft Entra ID | Microsoft Learn

Providing a default level of security in Microsoft Entra ID – Microsoft Entra | Microsoft Learn