Blocking Legacy Authentication in Microsoft 365: How to Disable Basic Auth Without Breaking Your Users

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Legacy authentication is the front door for most Microsoft 365 account compromises. An account with MFA enforced via Conditional Access is protected against interactive sign-in attacks -- but if that same account can authenticate via SMTP AUTH or an IMAP connection (which bypass Conditional Access), the MFA protection is irrelevant. The October 2022 Microsoft deprecation of Basic Auth addressed most protocol endpoints, but SMTP AUTH remains active in most tenants and is the primary remaining attack surface. This guide covers how to find who is using legacy auth today, how to create the Conditional Access block policy, and how to handle the SMTP AUTH exceptions that printers and applications require.
Audit Current Legacy Authentication Usage
Before blocking, determine what is actually using legacy authentication in your tenant. In the Entra admin center, navigate to Monitoring > Sign-ins. Filter by Client App and select all legacy authentication client types: 'Exchange ActiveSync', 'Exchange Online PowerShell', 'Exchange Web Services', 'IMAP4', 'MAPI over HTTP', 'Offline Address Book', 'Other clients', 'POP3', 'Reporting Web Services', 'SMTP'. Review the results: identify the user accounts, source IPs, and applications associated with legacy auth sign-ins. Export the data (download CSV) for analysis. Key things to look for: shared mailbox accounts used by printers and multifunction devices for SMTP AUTH, service accounts used by line-of-business applications (ERP, CRM, help desk ticketing), users still on Outlook 2010 or 2013 (which use MAPI over HTTP in legacy mode), and any automated scripts using Basic Auth PowerShell. This audit tells you what will break when you block. Most large organizations have 5 to 15 SMTP AUTH devices and services to migrate before blocking.
Create the Conditional Access Block Policy
In the Entra admin center, navigate to Protection > Conditional Access > Policies > New Policy. Name: Block Legacy Authentication. Assignments > Users: Include All Users. Exclude: break-glass emergency access accounts, any service accounts that cannot use modern auth (these should be migrated first, but exclude temporarily while migration is in progress). Assignments > Cloud Apps: Include All Cloud Apps. Conditions > Client Apps: select all legacy authentication clients: Exchange ActiveSync, Other clients. (Leave 'Browser' and 'Mobile apps and desktop clients' unchecked -- those are modern auth). Access Controls > Grant: Block Access. Enable Policy: Report-Only first. Run Report-Only mode for 1 to 2 weeks and review the sign-in logs to see who would be blocked. Identify any unexpected users or service accounts in the blocked sign-ins. Resolve all legitimate dependencies before switching to enforcement. Switch to Enabled when you are satisfied the exclusion list is complete.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Handle SMTP AUTH Exceptions for Printers and Applications
SMTP AUTH is the most common remaining legacy authentication dependency. Printers, scanners, multifunction devices, and on-premises applications that send email via Microsoft 365 typically use SMTP AUTH with a shared mailbox credential. Migration path 1 (preferred): switch to OAuth 2.0 SMTP AUTH. Microsoft now supports OAuth SMTP for applications -- configure the application to use OAuth instead of Basic Auth. Most modern printers and application versions support this. Migration path 2: use Microsoft 365 SMTP relay (Direct Send). Configure the device to send to the Exchange Online MX record on port 25, with no authentication, from a whitelisted IP address. Exchange Online accepts unauthenticated relay from configured IP ranges. This is appropriate for printers -- the device never authenticates. Migration path 3 (temporary): create an Entra ID Conditional Access Named Location for the specific source IP of the device, and create an exception in the block policy for that Named Location. This allows SMTP AUTH from a specific IP only. This is a temporary measure -- phase it out as you migrate devices to OAuth or Direct Send.
Migrate Remaining Legacy Auth Clients
After the Conditional Access policy is in place and exceptions are documented, migrate each remaining legacy auth client: Outlook 2010/2013 users: upgrade to Outlook 2016 or later (modern auth is supported by default). If upgrade is not feasible, enable modern auth and require it via GPO. PowerShell scripts using Basic Auth: migrate to the Microsoft Graph API (using OAuth app registrations with application permissions) or to the ExchangeOnlineManagement PowerShell module v2 and later (which uses modern auth). Line-of-business applications: work with the application vendor to upgrade to OAuth 2.0 integration. Most major ERP and CRM platforms have Microsoft 365 OAuth connectors. If the vendor cannot support OAuth, create a dedicated service account with a managed API credential and restrict it to the minimum necessary Exchange permissions via a Conditional Access exception scoped to that account and the specific cloud app.
Enforce and Monitor
After switching the Conditional Access policy from Report-Only to Enabled, monitor the sign-in logs for blocked legacy auth attempts over the first week. Blocked attempts that are from known devices or users indicate an incomplete migration -- resolve the dependency. Blocked attempts from unknown IPs and suspicious user accounts indicate spray attacks that are now blocked -- these were active regardless, and the block policy is working. Long-term monitoring: in Microsoft Sentinel or Defender XDR, alert on any legacy authentication sign-in SUCCESS (these should be zero once the block policy is fully enforced and exceptions cover all legitimate sources). A successful legacy auth sign-in in an enforced environment indicates either an exception in the Conditional Access policy is being abused, or a sign-in from a source that is missing a Named Location restriction.
The bottom line
Blocking legacy authentication is one of the highest-impact Microsoft 365 security controls available -- it eliminates an entire class of credential spray attack. The deployment process is: audit legacy auth users, create a Conditional Access block policy in Report-Only mode, migrate each dependency found, switch to Enabled. Plan 4 to 8 weeks for the migration phase in a mid-size organization. Do not skip Report-Only mode; a direct switch to Enabled will cause immediate service disruption for every legacy auth client.
Frequently asked questions
Did the October 2022 Microsoft Basic Auth deprecation block everything?
No. Microsoft disabled Basic Auth for most Exchange Online protocol endpoints in October 2022 (EAS, EWS, IMAP, POP3, remote PowerShell). However, SMTP AUTH was NOT disabled in October 2022 -- it remains active unless explicitly blocked. Additionally, third-party SaaS applications using OAuth tokens that request legacy permission scopes are not covered. The Conditional Access block policy described in this guide is still necessary and still blocks active attack vectors in 2026.
What is the difference between SMTP AUTH and SMTP relay?
SMTP AUTH uses an Entra ID credential (username and password) to authenticate to Exchange Online on port 587 (STARTTLS). It sends email as the authenticated mailbox account. SMTP relay (Direct Send) sends email to the Exchange Online MX endpoint on port 25 from an IP address that is listed in an inbound connector as authorized for relay, with no authentication. SMTP relay is the preferred approach for printers and devices because it eliminates the stored credential risk -- if a printer's SMTP AUTH credential is stolen, the attacker can send email as that account. With SMTP relay, there is no credential to steal.
Can I block legacy auth for most users but allow it for specific service accounts?
Yes. In the Conditional Access block policy, exclude specific accounts or groups in the Assignments > Users > Exclude section. This allows you to block legacy auth for all users except the service accounts you have not yet migrated. Document each excluded account and its migration timeline. Review the exclusion list monthly and shrink it as migrations complete. The goal is to reach zero exclusions -- any excluded account is a potential spray attack target.
How do I check if a specific user's account was successfully sprayed via legacy auth?
In the Entra admin center, go to Users > select the user > Sign-in logs. Filter by 'Status: Success' and look for Client App values of 'IMAP4', 'POP3', 'SMTP', 'Other clients', 'Exchange ActiveSync'. Any successful sign-in via these legacy protocols, especially from an unfamiliar IP, indicates a spray success. Also check for mailbox forwarding rules or inbox rules added after the successful sign-in (via the Microsoft 365 Defender email portal or Exchange admin center), which is the most common action attackers take immediately after a successful legacy auth compromise.
What is modern authentication and how does it differ from legacy authentication?
Modern authentication uses OAuth 2.0 and OpenID Connect (OIDC) protocols. The client redirects the user to the Entra ID identity provider, which handles authentication (including MFA) and issues an access token and refresh token. The application never handles the password directly. Legacy authentication protocols (IMAP, POP3, SMTP AUTH, basic HTTP auth) send credentials (username and password) directly to the application server with each request. Because MFA is enforced by the identity provider in modern auth flows and legacy auth clients bypass the identity provider entirely, Conditional Access MFA policies have no effect on legacy auth connections.
How do I migrate printers and multifunction devices from SMTP AUTH to a more secure email sending method?
SMTP AUTH is commonly used by printers, scanners, copiers, and line-of-business systems to send email via Microsoft 365 Exchange Online. Migration options in order of security: Direct send (the device connects to Exchange Online on port 25 without authentication, allowed only from specific IP ranges you configure in Exchange Online) requires no credentials on the device but restricts sending to internal domains. SMTP relay via a third-party SMTP service (SendGrid, Postmark, Mailgun) provides authenticated SMTP without using Microsoft 365 user credentials -- the device authenticates with service-specific API credentials rather than an M365 account. For devices that must use SMTP AUTH to Microsoft 365: create a dedicated mail-enabled service account with a strong password, enable SMTP AUTH only for that specific account (rather than tenant-wide), and create a Conditional Access policy that restricts that account to the printer's IP addresses. The account should have no other permissions. Review Microsoft's current SMTP AUTH guidance as Microsoft has continued restricting SMTP AUTH availability.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
