Allowing legacy authentication to your SharePoint online tenant unnecessarily exposes it to a number of attacks and exploits that you can easily avoid by simply disabling legacy authentication to your tenant. Microsoft has made it clear that all roads lead to the cloud, and with that Azure Active Directory has become an even more critical piece as the identity provider to O365. Microsoft has introduced a number of security-focused features into its cloud platform over the last couple of years which all depend on using modern authentication.
To be clear, I’m talking about Azure Active Directory’s conditional access under the new Azure Resource Manager model. Azure AD’s conditional access does not support legacy authentication methods which means that moving forward legacy authentication, in general, will be less and less supported within O365. In the past, this wasn’t as much of an issue as legacy authentication was the only type of authentication, but now all new development changes with conditional access leverage modern authentication exclusively.
There are two types of authentication in Office 365: Legacy authentication and Modern authentication.
Originally, legacy authentication was the only form of authentication in O365. Legacy authentication leverages HTTP Basic Authentication where credentials are passed in the form of a username and password. Relying on just a password is a bad idea for a variety of reasons, they are often easy to guess and passwords are also vulnerable to attacks like phishing and password spraying.
Aside from the known exploits, the other major issue with legacy authentication is that Microsoft has announced discontinued support for most legacy clients. So relying on legacy authentication simply won’t be an option after October 13th, 2020 so aside from the security implications- it’s best to get ahead of this before you’re forced to anyway.
For the sake of comparison, the primary concern with legacy authentication is that it’s performed against the service whereas modern authentication is performed against the identity provider.
Let’s consider the following scenarios:
- Scenario 1: Connecting to Exchange Online with legacy authentication via the Outlook
- The Outlook 2010 client will send the credentials to Exchange Online and Exchange Online will then perform a proxy authentication against Azure AD as the identity provider. If successful, there will be a response returned to Exchange Online to grant access to the Outlook client.
- Scenario 2: Connecting to Exchange Online with modern authentication via the Outlook
2016 client (modern authentication enabled by default).
- The Outlook 2016 client will be redirected directly to Azure Active Directory in order to obtain an access token. That access token will then be used by the client to gain access to Exchange Online.
- Since conditional access policies are evaluated as a part of the authentication process, this only works for modern authentication which supports directly using Azure AD as the identity provider. This does not work for legacy authentication because the authentication process for legacy authentication is not directly to Azure AD (in the example above Exchange online is used to perform a proxy authentication), conditional access, as well as other new security features, will not work.
Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0 which support multi-factor authentication and interactive sign-in. This is why nearly 100% of password spray attacks target legacy authentication principals which do not support interactive sign-in. Interactive sign-in is required for additional security challenges like MFA and device authentication.
Disable legacy authentication on your SharePoint Online tenant. Once this is configured you can enforce stricter rules around conditional access policies like interactive sign-in which will drastically improve your security posture with minimal impact or effort.
How to disable legacy authentication:
- Open the SharePoint Online Management Shell
Run the following commands to determine your current authentication protocol:
Get-SPOTenant and Connect-SPOService -Url –https://<tenant>-admin.sharepoint.com #Replace <Tenant> with your tenant’s name# Get-SPOTenant
Check the property “LegacyAuthProtocolsEnabled” – if this is set to true then legacy authentication is enabled and we will want to set this to false.
Run the following commands to disable Legacy authentication to your SharePoint tenant:
Connect-SPOService -Url –https://<tenant>-admin.sharepoint.com Set-SPOTenant –LegacyAuthProtocolsEnabled $false
Switching completely to Modern authentication and disabling basic (even without implementing MFA) is a major improvement to security. Modern authentication is not subject to the same types of attacks and exploits that are possible with Basic authentication and legacy authentication is already scheduled to go end of life on October 13th, 2020.
Chris studied Information Systems at Hofstra University before joining STEALTHbits where he took on the role as the Technical Product Manager of SharePoint, Dropbox and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled and orphaned animals.