Overview
“Legacy authentication” is a term Microsoft sometimes uses to describe basic authentication when used with its cloud-based services. This is in contrast with the term “modern authentication” which provides more security and capabilities. It means that you are using older technology that has potential security flaws.
Action
A list of known clients using legacy authentication is available. It is recommended that you replacing legacy applications with those capable of modern authentication.
Background
Legacy (or basic) authentication is characterized by:
- a client or network protocol which is incapable or not configured to do modern authentication
- a client which sends both the username and password to the application
- an application using the username and password to get a logon token on behalf of the user
Modern authentication is characterized by:
- a client and service which can accept redirects to the identity provider for all authentication interactions and can work with authentication tokens of the protocols (such as a client and service capable of using OpenID Connect, SAML, and/or OAuth 2.0 for authentication)
All Microsoft cloud services are modern authentication capable.
So whether legacy or modern authentication is used is dependent on the client capabilities. In many cases, you can update your client application or change to an alternative client application to use modern authentication.
Relevance
Legacy authentication can not be protected by MFA. Because the password is known to the application, it is less secure than modern authentication. If legacy authentication is not blocked for your account, 3rd party applications can ask for your credentials and have your password without you being aware they do.
How do I address my use of legacy authentication?
Since legacy authentication hinges on the client software used, transitioning off legacy authentication requires the individual user to change the client software they are using.
If you are using one of the client applications known to not use modern authentication protocols, then you should replace them.
This list is not intended to be comprehensive; it is only a list of known client applications. If you have one which should be added, please let us know.
- Outlook 2013 without special settings enabled (we recommend you upgrade)
- Outlook 2010 or earlier
- Mac Mail on Mac OS 10.13 or earlier
- Thunderbird
- Eudora
- Pine
- Android Touchdown
- Android BlueMail
- Any client application on iPhone 5 and lower (can use browsers to OWA)
- Any client application on iPad 4th generation and lower (can use browsers to OWA)
- Mail on iOS 10 or lower
- Any client application on Chromebooks (can use browsers to OWA)
- Most IMAP4 or POP3 clients
- Exchange Online PowerShell module