Microsoft 365 is genuinely powerful. Most businesses use it every day without incident. But there's a default configuration issue that has quietly contributed to thousands of breaches, and the unsettling part is how easy it is to miss.
The setting is called Legacy Authentication. And if it's still enabled in your tenant, your business has a meaningful exposure that most people don't know about.
What Legacy Authentication Actually Is
Legacy authentication refers to older sign-in protocols that don't support modern security features like multi-factor authentication. Think of older email clients, basic SMTP, older versions of Office, or certain third-party apps that connect to Exchange.
These protocols were built before MFA existed. They authenticate with just a username and a password. No second factor, no conditional access policy, and no way to verify that the person logging in is actually who they claim to be.
Microsoft has been pushing organizations to disable legacy authentication for years. Yet many environments still have it running, either because no one checked or because a legacy application still depends on it.
Why Attackers Love It
When a cybercriminal runs a credential stuffing attack, they take a list of stolen usernames and password combinations and try them against common services. Microsoft 365 is a prime target.
If modern authentication is enforced, MFA blocks most of these attempts cold. Even with a correct password, the attacker still needs the second factor.
But with legacy authentication enabled, MFA is bypassed entirely. A valid username and password is all it takes. The attacker walks straight in.
Common entry points include:
- IMAP and POP3 email access
- Older Outlook clients using basic auth
- Third-party apps connecting via outdated protocols
- Automated scripts or integrations built years ago
Each one is a potential door that MFA cannot close as long as legacy auth remains active.
The Fix Is Simpler Than You Think
Disabling legacy authentication in Microsoft 365 involves creating a Conditional Access policy that blocks legacy auth protocols across your tenant. Microsoft's documentation covers the steps in detail, and the process itself is not technically complex.
The harder part is the preparation. Before you flip the switch, you need to know what in your environment still relies on legacy auth. Disabling it without that audit can break applications or workflows that nobody knew were depending on it.
A useful first step is enabling sign-in logs in Azure Active Directory and filtering for legacy authentication attempts. This shows you exactly what is still using those older protocols and gives you a remediation list before you make any changes.
What Else to Check While You're in There
If you're reviewing your Microsoft 365 security posture, a few other settings deserve attention alongside legacy auth:
- MFA enrollment: is it enforced for all users, or just some?
- Admin accounts: do they have MFA, and are they separate from daily-use accounts?
- External sharing in SharePoint and OneDrive: is it open by default?
- Mail forwarding rules: can users set up auto-forwards to external addresses?
Each of these represents a category of risk that shows up regularly in breach investigations.
The Broader Point
Microsoft 365 ships with reasonable defaults, but reasonable is not the same as secure. Security configurations require active management, periodic review, and an understanding of what has changed in your environment over time.
Legacy authentication is one of the most commonly overlooked gaps. It is also one of the most fixable. That combination makes it a good place to start.