Legacy authentication protocols (Basic Auth, old POP/IMAP, SMTP) ignore modern security features. They don't support Multi-Factor Authentication (MFA), making brute-force and credential-stuffing attacks far too easy. Leaving them on is like guarding your vault with a paperclip.
Go to Entra ID Admin Center.
Navigate: Security > Conditional Access.
Create a new policy:
Assignments: Target all users (exclude only emergency/break-glass accounts).
Cloud apps/actions: Select All cloud apps.
Conditions: Under Client apps, check Other clients (legacy protocols).
Access controls: Block access.
Enable and enforce the policy.
Blocking legacy auth isn’t always "set it and forget it":
Residual access: Some services still allow legacy auth even after policy enforcement.
Service accounts and scripts: Older apps and connectors often break if not updated.
Exclusions: One exception can undo the whole effort.
Audit sign-ins
Go to Entra ID > Sign-in logs.
Filter by Client app. Any “Legacy Authentication Client” entries need remediation.
Disable Basic Auth at service level
Use Authentication Policies (e.g., in Exchange Online) to block POP, IMAP, and SMTP AUTH.
Apply at both tenant and mailbox levels where applicable.
Modernize service accounts
Update scripts, connectors, and third-party apps to OAuth 2.0.
Replace or retire anything that can’t move forward.
Remove exclusions
Track every account excluded from the block policy.
Phase them out with clear deadlines.
Blocking legacy authentication is one of the simplest ways to harden your tenant. But the real defense comes from verifying that nothing and no one is sneaking through the cracks. Audit often, modernize stubborn apps, and eliminate exceptions until the old protocols are truly gone.