Todays blog post is about legacy authentication like POP, IMAP, SMTP and other.
This methods is not secure and attackers can easy gain access without any problems. It's important to check if your organization have accounts which is still using this old methods and take action.
There is a very easy method to check this
Go to entra.microsoft.com and go to Users --> All Users --> Sign-in logs
Press Date and choose: Last 1 month ( because Entra ID only allowing us to see sign in logs for the last 30 days)
Press Columns and choose Client App and Save
Now Press Add Filters and choose Client App again and press Apply
Press on Client app filter again and choose all legacy authentication methods and press Apply
It should look like this
Now wait and see if you get any results.
You can also save your results as .csv or .json by pressing Download button
Check non-interactive user sign-ins as well
Now, if your organization don't have any legacy sign-ins you need to ensure that you have a Conditional Access policy which blocks this methods. Remember that you need to have at least Entra ID P1 license to use Conditional Access.
Here is a ready policy which you can import with this method https://www.need4.cloud/post/how-to-bulk-export-and-import-conditional-access-policies and use for this purpose
This policy is scoped to all users, remember to exclude users which is using legacy auth. in this policy and in an MFA policy as well. Always ensure that this users have very strong passwords or even better, upgrade this legacy clients asap!
If your tenant doesn't have Entra ID P1 license, don't worry. There is another way, but remember - you can't exclude any users here.
Go to admin.microsoft.com and press Settings --> Org settings
Under Services find Modern authentication
Uncheck Authenticated methods and press Save
Happy hunting
Comments