Background
In this blog series we will look at what Legacy Authentication is and how to improve our security posture by disabling it. There are quiet a few guides like this already out there but I hope this step-by-step guide will be a good complement and shine some light on how to get going. In part 1 we will look at what tools we have available to identify Legacy Authentication sign-ins.
Legacy Authentication uses old protocols like (not limited to): “POP3“, “IMAP” and “SMTP” to authenticate to our Cloud Apps (such as Exchange Online). However “MFA” and/or “Conditional Access” policies do not apply to legacy authentication sign-ins.
As a step towards more secure sign-ins we should start using “Modern Authentication” and disable legacy authentication. When we look at legacy authentication we must consider our current Microsoft Office installations. Not all Office-versions have support for modern auth, see below chart for more info.
Microsoft is looking at legacy authentication retirement. The official retirement date has been postponed until further notice due to the COVID-19 pandemic. But we must all start planning for an upcoming retirement and what that means for us. Read more about the upcoming legacy authentication retirement here: Link
In my opinion the retirement can not come soon enough as legacy authentication used by most phishing attempts. Below figures are from Microsoft official documents: Link
- More than 99 percent of password spray attacks use legacy authentication protocols
- More than 97 percent of credential stuffing attacks use legacy authentication
- Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled
| Microsoft Office version | Modern Authentication Support |
|---|---|
| 2007 | No |
| 2010 | No |
| 2013 | Yes, but requires ADAL to be enabled |
| 2016 and above | Yes, enabled by default |
“iOS“, “iPadOS” and “MacOS” must be considered as not all versions do support modern auth. This applies to the native Mail app and if you are on one of below OS-versions I recommend that you use the “Microsoft Outlook” app instead as it supports modern auth.
| Operating System | Modern Authentication Support |
|---|---|
| iOS | Yes, iOS 11 or later |
| iPadOS | Yes, 13.1 or later |
| MacOS | Yes, 10.14 or later |
Identify Legacy Authentication Sign-ins
I recommend that you set up a Log Analytics workspace in Azure if you haven’t already. By doing so we will be able to collect Azure Sign-in info. This is a pre-requisite to be able to use “Conditional Access: Insights and Reporting“.
How to set up “Conditional Access: Insights and Reporting”
We will start off by creating a Resource Group for our Log Analytics Workspace. We will then create a LA workspace and set it up to gather Azure audit and sign-in logs. We must have an Azure subscription, this blog post will not cover settings up a subscription check this article if needed: Create an additional Azure subscription | Microsoft Docs
To export Sign-in data we need to have either Azure AD Premium Plan 1 or 2. It is possible to use a free trial for evaluation.
- Log in to: https://portal.azure.com with admin privileges
- Navigate to: “Azure Active Directory” -> “Security” -> “Conditional Access” -> “Insights and Reporting“
- If you get below message you must first set up a Log Analytics workspace. Otherwhise you may skip to step: 20
- From the “Portal Menu” click: “Resource groups“
- Click: “Add“
- Your active subscription will be pre-defined, change this if needed
- Set a Resource Group name. In this demo I will use “Demo-LogAnalytics-ResourceGroup“
- Choose a Region as per your need
- Click: “Review + create“
- Click: “Create“
- Navigate to: Log Analytics workspaces – Microsoft Azure
- Click: “Add“
- Here we should use same “Subscription” as we used when we set up the “Resource Group”
- Resource Group: “Demo-LogAnalytics-ResourceGroup“
- Name: Choose a name as per your need. In this demo I will use: “Log-Analytics-Azure-audit-and-signin-logs“
- Set “Region” as per your need
- Click: “Review + Create“
- Click “Create“
- Wait a couple of minutes for the new Log Analytics Workspace to be deployed
- Navigate to: “Azure Active Directory” -> “Diagnostics Settings“
- Click: “+ Add diagnostic setting“
- Diagnostic setting name: In this demo I will use “Demo – Send Azure AD Logs to LogAnalytics“
- Mark: “AuditLogs“
- Mark: “SignInLogs“
- Mark: “Send to Log Analytics workspace“
- Subscription: Use same subscription as we used to set up the Resource Group and Log Analytics workspace
- Click: “Save”
- Wait about 60 minutes for everything to be synchronized
- Navigate to: “Azure Active Directory” -> “Security” -> “Conditional Access” -> “Insights and Reporting“
- You should now be able to view “Conditional Access: Insights and Reporting“
- I normally use “Insights and Reporting” to evaluate the outcome of a new conditional access policy (in report only mode) and to track down any legacy authentication sign-ins. But there are other ways to do this, let’s have a look at Workbooks!
Workbook: “Sign-ins using Legacy Authentication”
There are other things that benefits from the Log Analytics workspace that we just created. We can use a Workbook called “Sign-ins using Legacy Authentication” to get a view of any legacy auth sign-ins.
- Navigate to: “Azure Active Directory” -> “Workbooks“
- Click: “Sign-ins using Legacy Authentication“
- Now let’s make sure the “Workbook” is using correct Log Analytics Workspace
- Click: “Edit” -> “Settings“
- Make sure that the Log Analytics workspace name matches the workspace we just created
- Close the “Settings” blade by clicking the “Cancel” and navigate back to the “Workbook“
- As you can see, this “Workbook” is very helpful when you need to track down any legacy authentication sign-ins!
In part 2 we will look at how to block legacy authentication by using “Conditional Access”