Find out who is using legacy authentication methods in your organization

Todays blog post is about legacy authentication like POP, IMAP, SMTP and other.

This methods is not secure and attackers can easy gain access without any problems. It's important to check if your organization have accounts which is still using this old methods and take action.

There is a very easy method to check this

Go to entra.microsoft.com and go to Users --> All Users --> Sign-in logs

1. Press Date and choose: Last 1 month ( because Entra ID only allowing us to see sign in logs for the last 30 days)

2. Press Columns and choose Client App and Save

3. Now Press Add Filters and choose Client App again and press Apply

4. Press on Client app filter again and choose all legacy authentication methods and press Apply

   
   

   It should look like this

   

Now wait and see if you get any results.

You can also save your results as .csv or .json by pressing Download button

Check non-interactive user sign-ins as well

Now, if your organization don't have any legacy sign-ins you need to ensure that you have a Conditional Access policy which blocks this methods. Remember that you need to have at least Entra ID P1 license to use Conditional Access.

Here is a ready policy which you can import with this method https://www.need4.cloud/post/how-to-bulk-export-and-import-conditional-access-policies and use for this purpose

This policy is scoped to all users, remember to exclude users which is using legacy auth. in this policy and in an MFA policy as well. Always ensure that this users have very strong passwords or even better, upgrade this legacy clients asap!

If your tenant doesn't have Entra ID P1 license which includes Conditional Access, don't worry. There is another way!

Method 1

Security defaults in Entra

Go to Overview -> Properties in entra.microsoft.com and ensure that Security defaults is ON.

By default this method should be ON, on every tenant with Entra ID Free license.

if not , there is another way to archive this goal

Method 2

1. Go to admin.microsoft.com and press Settings --> Org settings

2. Under Services find Modern authentication

3. Uncheck Authenticated SMTP and press Save

Method number 2 is recommended to be used together with the Conditional Access policy, because Conditional Access policy take effect after a successful authentication, NOT BEFORE. Attackers are still stopped accessing the mailbox, but they then have a valid username and password. Don't forget Zero-day vulnerabilities here either; we cannot rely on just one method, we need multiple layers of security :)

Happy hunting and stay secured