Legacy Authentication Not Blocked

According to Microsoft:

[...] more than 97 percent of credential stuffing attacks use legacy authentication and more than 99 percent of password spray attacks use legacy authentication protocols.

Legacy authentication methods do not support modern security measures like Multi-Factor Authentication (MFA), a standard requirement for enhancing security in organizations.

This Indicator of Exposure alerts you when your tenant allows legacy authentication requests with either two possible methods:

• Security defaults: Preconfigured security settings that include the blocking legacy authentication protocols. Enabling this setting simultaneously activates multiple security features as Microsoft recommends.
• Conditional Access Policies (CAP): These policies specify events or applications that do not allow the use of legacy authentication protocols. While they may allow such protocols for specific users and applications, this allowance does not extend to all users and applications. This IoE checks whether there is at least one enabled CAP that defines the settings of the "Block legacy authentication" CAP template.

Note: This CAP feature requires a Microsoft Entra ID P1 license or higher and does not come with the Microsoft Entra ID Free license. It is particularly recommended for mature organizations with complex security needs seeking to define precisely their authentication criteria.

Security defaults and Conditional Access are mutually exclusive; you cannot use them simultaneously. Note that Conditional Access policies can only target built-in Entra roles, excluding administrative unit-scoped roles and custom roles.

There are important considerations to consider before blocking all legacy authentication requests. Microsoft explains the impact by indicating the messaging protocols that require legacy authentication. It also offers guidance on identifying legacy authentications to assist in configuring the exclusion of users and service accounts that still require sign-in using legacy authentication methods. Even after this IoE becomes compliant post-remediation, it can take up to 24 hours for the Conditional Access policy to go into effect during which legacy authentication requests are still possible.

To prevent users and applications from using legacy authentication, Microsoft offers a Conditional Access Policy (CAP) template called Block legacy authentication. You can also define your own template using the same settings. To apply such a CAP, Tenable recommends that you follow the Microsoft documentation "Plan a Conditional Access deployment" to ensure proper planning and change management to limit the impact on resources that still require it. Alternatively, security defaults can fulfill this objective by mandating the blocking of legacy authentication protocols, among other Microsoft-recommended security features. Thoroughly assess in advance whether any change might lead to regression or unintended side effects in your environment.

Name: Legacy Authentication Not Blocked

Codename: LEGACY-AUTHENTICATION-NOT-BLOCKED

Severity: Medium

Type: Microsoft Entra ID Indicator of Exposure