Blocking Legacy Authentication

For Multifactor Authentication (MFA) to be effective, we need to block legacy authentication methods, like POP, SMTP, IMAP, and MAPI, as these cannot enforce MFA, making them easy targets for hackers.

Built-in / native mail apps (images below) on phones and PCs, use this type of legacy authentication, so we have taken the decision to block these from use from now on.

What does this mean for you?

As these native mail apps can no longer be used, we recommend you download the official Outlook mail app from the relevant app store. This requires MFA and Intune to be installed, helping our data remain secure. Please see this linked solution about installing using Microsoft Apps on a personal / Trust device

Or you can just go straight to www.outlook.com on your phone browser to access your MKUH email.

The technical bit 🙄- sorry!

If we look at the stats, the numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:

More than 99 percent of password spray attacks use legacy authentication protocols
More than 97 percent of credential stuffing attacks use legacy authentication
Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled

Messaging protocols that support legacy authentication (again this is a bit techie, so you might want to look away)

The following messaging protocols support legacy authentication:

Authenticated SMTP - Used to send authenticated email messages.
Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.
Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multifactor authentication.
Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.
IMAP4 - Used by IMAP email clients.
MAPI over HTTP (MAPI/HTTP) - Primary mailbox access protocol used by Outlook 2010 SP2 and later.
Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.
Outlook Anywhere (RPC over HTTP) - Legacy mailbox access protocol supported by all current Outlook versions.
POP3 - Used by POP email clients.
Reporting Web Services - Used to retrieve report data in Exchange Online.
Universal Outlook - Used by the Mail and Calendar app for Windows 10.
Other clients - Other protocols identified as utilizing legacy authentication.

Struggling with any technical jargon on this article, please see our Jargon Buster article