How to disable legacy authentication in Microsoft Exchange to enable MFA

Microsoft recommends enabling multi-factor authentication for Office 365. To do so, you must also disable basic or legacy authentication on Microsoft Exchange Server.

Microsoft recently announced that 99.9% of the attacks on Office 365 credentials can be stopped by enabling multi-factor authentication (MFA). They should have made it clear that you need to take one more action and disable basic or legacy authentication.

Basic or legacy authentication is what most people use when they log into websites and networks: a username and a password. If someone cracks that, has harvested the hash value and can reuse it, or used brute force and password spraying techniques to gain access, they are in. They often don’t even have to “crack” the password; they already have it. Most people reuse passwords, so once an attacker has breached a database, they can try that password on your server or other sites.

So, you need to turn off legacy authentication when implementing MFA. What are the consequences to that? Third-party tools that plug into your online applications might no longer work. This is honestly a good thing, because you need to demand that vendors stop using an old insecure method to connect to your information. If they use legacy authentication, they are basically using IMAP, POP, SMTP and other older protocols to connect.

Ensure that you are using newer Outlook clients to connect to Office 365. Outlook 2010 is no longer supported to connect to Office 365 even though some still use the platform. If you disable legacy authentication on Outlook 10, it won’t be able to connect. The user impact plays out in various scenarios.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!