Categories

Legacy authentication protocols in Exchange Online use a username and a password for client access requests. While modern methods use token-based authentication. Some common examples of legacy protocols are IMAP, POP, and SMTP.

Learn more: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/clients-and-mobile-in-exchange-online

  


Microsoft will be slowly phasing out the use of legacy protocols: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-february-2021-update/ba-p/2111904

The Center for Internet Security lists "Disabling Legacy Protocols" as one of their security benchmarks (https://www.cisecurity.org/cis-benchmarks/):

  • CIS: 4.8 (L2) Ensure basic authentication for Exchange Online is disabled (Scored)
  • Description: Basic authentication may allow users to access Exchange Online using legacy or unapproved email clients that do not support modern authentication mechanisms, such as multifactor authentication.
  • Rationale: Disabling basic authentication prevents use of legacy and unapproved email clients with weaker authentication mechanisms that would increase the risk of email account credential compromise.

You can manage the legacy protocols by following these steps: 

  1. Review your tool suite to see if any tools only support legacy protocols.
  2. If there are no exceptions, enable conditional access policy to block legacy authentication across your organization. Enabling this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP. 
  3. If there are exceptions, disable legacy protocol at user level. Disabling at the user level will allow you to improve security while managing valid exceptions that ensure productivity.

CoreView helps you to: 

  • See the legacy protocols enablement and usage
    • View user accounts enabled legacy protocols enabled

From the Users report, add the following columns: ActiveSync enabled, Owa enabled, Pop enabled, MAPI enabled, EWS enabled, SMTPClientAuthenticationDisabled

   

  • Understand which enabled legacy protocols are in use

In the Exchange Reports sections, go to the User by Connection Type report or the Exchange Email App Usage report and add the following columns to the report: Pop 30 or POP3 30, IMAP 30 or IMAP4 30, SMTP 30 

  

  • View Azure AD sign-ins with legacy protocols

Go to Audit > Azure AD Reports > Sign-in Events, then sue the Client App Id column to filter for protocol.

  

  • Manage legacy protocols
  • Create a KPI to track legacy protocol enablement
  • Go to User Reports > Users.
  • Use Report Filters to select users that have legacy protocols enabled.
  • Go to Actions > Save KPI.

   

  • Manage exceptions where legacy protocols are needed
  • Open your saved KPI report.
  • Analyze which legacy protocols are in use in the last 30 days.
  • Select users with a valid exception.
  • Click Actions > Manage exceptions.

 


  • Disable legacy protocol on users without exception
  • Select users that need the legacy protocol disabled.
  • Select Manage > Manage CAS.
  • Complete the action.

  


  • Automate legacy protocol management
  • Create a workflow to manage legacy protocols with operator approval
  • Go to Manage > Workflow > Workflows.
  • Create a new workflow
  • Add the manage protocol step: Office 365 > Mailbox > Manage CAS.

- Use auto-mapping to set the user principle name.

Set all protocols to No.

 

  • Add the approval step: CoreFlow > Manual > Owner/operator approval

- Draft an email to send to the user.
- Add an option to approve the disablement of the protocols

  

  • Save and publish the workflow.
  • Schedule it to run from your KPI report.