Full Report
Microsoft has announced that it will soon update security defaults for all Microsoft 365 tenants to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols. [...]
Analysis Summary
# Best Practices: Hardening Microsoft 365 Security by Deprecating Legacy Authentication
## Overview
These practices center around Microsoft's initiative to block file access via **legacy authentication protocols** in Microsoft 365 environments by default. This move enhances security posture by aligning with the Microsoft Secure Future Initiative (SFI) and the "Secure by Default" principle, specifically targeting risks associated with older, less secure authentication methods.
## Key Recommendations
### Immediate Actions
1. **Audit for Legacy Authentication Usage:** Immediately review Microsoft 365 sign-in logs and Azure Active Directory (Azure AD/Entra ID) monitoring tools to identify which users, applications, or devices are still relying on legacy authentication protocols (e.g., POP3, IMAP4, SMTP AUTH, older versions of Office clients).
2. **Communicate the Upcoming Block:** Notify all users and application owners within the organization that legacy authentication access to M365 services will be blocked by default and that modern authentication methods must be adopted.
### Short-term Improvements (1-3 months)
1. **Enable Modern Authentication Enforcement:** Configure conditional Access policies or tenant settings to explicitly disable (block) legacy authentication globally across the M365 environment, forcing all connections to use modern protocols that support strong authentication like MFA.
2. **Remediate Identified Legacy Dependencies:** For essential services or applications still using legacy authentication:
* Upgrade clients (e.g., update Office versions) to support Modern Authentication.
* Reconfigure applications/services to use modern endpoints (e.g., OAuth 2.0).
* If necessary for highly controlled, temporary legacy connections, use targeted Conditional Access policies to allow specific, monitored exceptions until full migration is complete.
3. **Review and Harden Attachment Handling:** Begin the process of blocking risky attachment types in Outlook, following Microsoft's lead (e.g., preparing to block `.library-ms` and `.search-ms` file types if applicable to your environment).
### Long-term Strategy (3+ months)
1. **Establish Secure Access Management:** Implement and refine granular access policies using Entra ID/Azure AD's access management features, including the Admin Consent Workflow, to strictly control application permissions.
2. **Implement a Secure Defaults Mindset:** Formally adopt Microsoft's Secure Future Initiative (SFI) principles into your security roadmap, ensuring that all new cloud services and configurations default to the most secure settings available.
3. **Explore Screenshot Prevention:** Investigate and plan the deployment of features designed to block screen capture during sensitive meetings, such as the announced Microsoft Teams screenshot blocking feature, for high-sensitivity users or meetings.
4. **Continuous Monitoring and Retirement:** Establish a routine process (monthly or quarterly) to review authentication logs, confirm that legacy authentication remains disabled, and identify further deprecated features (like the blocking of ActiveX controls) that need to be retired or validated in your environment.
## Implementation Guidance
### For Small Organizations
- Focus on enabling modern authentication tenant-wide immediately. If using M365 Business Basic/Standard, ensure users are forced to use modern clients (Outlook desktop applications, etc.) that support OAuth.
- Rely heavily on Microsoft's default settings changes as the primary remediation step for legacy protocols.
### For Medium Organizations
- Utilize Conditional Access policies in Entra ID to centrally manage the enforcement of Modern Authentication across user groups, allowing for targeted testing phases before a full rollout.
- Assign dedicated IT staff timeframes (1-2 months) to coordinate user migration away from desktop clients that rely on legacy protocols.
### For Large Enterprises
- Leverage granular access management and the Admin Consent Workflow for third-party or LOB applications to ensure only approved and monitored identities can grant consent for delegated permissions.
- Conduct detailed impact assessments across application portfolios *before* universally blocking legacy auth, using monitoring data to create phased rollout groups (e.g., test users, low-impact groups, high-impact groups).
## Configuration Examples
*Note: Specific configuration steps for disabling legacy authentication (often done via Conditional Access or disabling SMTP AUTH per user/tenant) are highly dependent on the specific configuration portals. The guidance below relates to the supporting controls mentioned.*
**Example: Preparing for Granular Access Control:**
1. **Configure Admin Consent Workflow:** Ensure the workflow is active in Entra ID to require administrative review for certain application permission requests, preventing users from granting broad permissions unknowingly. (Refer to Microsoft documentation for the exact Entra ID path: configuration location for Admin Consent Workflow).
2. **Evaluate Access Management:** Review settings related to enterprise app access management to enforce least privilege principles for all connected applications.
## Compliance Alignment
- **NIST CSF:** Aligns closely with **PR.AC-1 (Access Control Policies)** and **PR.DS-5 (Data is protected from unauthorized access)** by restricting insecure entry points.
- **ISO 27001/27002:** Supports **A.9.2.1 (User Registration and De-registration)** and **A.14.2.1 (Secure Development Policy)** by enforcing strong identity standards over vulnerable legacy protocols.
- **CIS Benchmarks (Microsoft 365):** Directly supports hardening efforts by ensuring insecure defaults are overwritten with secure-by-default configurations.
## Common Pitfalls to Avoid
- **Sudden Global Enforcement:** Blocking legacy authentication without first identifying and migrating critical line-of-business applications or services that explicitly rely on them. This leads to immediate, widespread service disruption.
- **Ignoring SMTP AUTH:** Assuming blocking POP/IMAP is sufficient. SMTP AUTH (often used by scanners, applications, or mail relays) must also be explicitly addressed, either by disabling it or migrating to modern authentication endpoints for those services.
- **Failing to Address Client Updates:** Assuming all users are on modern versions of Office; users on very old perpetual licenses may require upgrades to support Modern Authentication.
- **Over-relying on Whitelisting:** Creating broad exceptions to legacy auth blocks for entire groups if granular app-level remediation is possible.
## Resources
- **Entra ID Conditional Access Documentation:** For configuring policies to enforce Modern Authentication. (Search: "Microsoft Entra Conditional Access legacy authentication")
- **Microsoft Secure Future Initiative (SFI) Documentation:** For understanding the strategic context of these changes. (Search: "Microsoft Secure Future Initiative")
- **Entra ID Admin Consent Workflow Configuration Guide:** For setting up granular consent control. (Search: "Microsoft Entra configure admin consent workflow")