How Microsoft Disabled Legacy Authentication Across the Company

The process was not smooth or straightforward, employees say in a discussion of challenges and lessons learned during the multi-year project.

As more organizations adopt modern authentication protocols, legacy authentication poses a growing risk to those who lag behind. The problem is, making a business-wide transition to modern authentication is no easy feat, as Microsoft employees learned when they tackled it.
About half of a percent of the enterprise accounts in our system will be compromised every month, Alex Weinert, director of identity strategy at Microsoft, said of its customer accounts. Which is a really, really, really high number, if you think about it. In a business of 10,000 users, for example, 50 of them will be compromised in a month if the business is average and doesnt do anything additional, Weinart said in an RSA Conference talk on the topic last month.
More than 1.2 million Microsoft customer accounts were compromised in January 2020, Weinert said. Of those, more than 99% did not have MFA enabled. Multi-factor authentication would have prevented the vast majority of those one million compromised accounts last month, he explained.
About 40% of those January compromises, or 480,000 accounts, were due to password spray attacks and nearly all (99% of) password sprays leveraged legacy authentication protocols. The second most-common attack method was brute-forcing credentials across platforms. Nearly all (97% of) these replay attacks also use legacy authentication protocols, Weinert noted, and the probability of compromise jumped for users who relied on SMTP, IMAP, POP, and others.
We know about 60% of users [overall] will reuse passwords; its super common, he continued, adding that people do reuse their enterprise accounts in non-enterprise environments.
Legacy, or basic authentication refers to older protocols like POP, SMTP, IMAP, and XML-Auth, which dont allow for user interaction or MFA challenges, Weinert said. It is the predominant problem with deploying MFA and the preferred mechanism for attacking accounts. Attack tools are built on it; it works, and its easy, he said. But disabling basic authentication protocols can make a significant difference: controlling for other variables, Microsoft found a 67% reduction in compromise for tenants that turned off legacy protocols.
To help defend its own employees against attacks targeting these protocols, Microsoft has rolled out modern MFA options compatible for phone, cloud, and on-prem environments over the years. Still, while it invested in these tools, it really didnt pay attention to legacy authentication, said Lee Walker, identity architect on Microsofts internal IT team. We thought it would naturally go away. Still, many internal Microsoft employees continued to use legacy protocols. In 2018, company executives called for legacy authentication to be shut down across the organization.
Trial and (A Big) Error
Taking a broader look at Microsofts environment, the team saw a few instances of legacy authentication but assumed the project wouldnt be intensive. It was primarily used in Azure Active Directory, in small tools people used to directly talk with Microsoft Graph and do basic information gathering in Azure, as well as in SharePoint, Skype for Business, and Exchange.
The team thought most of the upgrades would be for old Office 2010 or 2013 clients. We knew those were using legacy authentication, but we knew the vast majority of people had been upgraded, said Walker. They expected these Office clients to be people with older personal machines at home, and theyd simply need to help the users upgrade.
There are several tools available to block legacy protocols; Lee and Walker demonstrated their process using one built into Azure Active Directory. It started out smoothly, they said. The IT and operations teams deployed legacy authentication disablement to 2,000 users in the organization and experienced minimal problems. This gave us a lot of confidence that our deployment for legacy authentication blocking was going to proceed very quickly across Microsoft internally, said Walker, noting they expected the process to take two months.
It didnt quite work out that way, he added.
The team deployed this disablement policy across its 60,000-person sales force. They left their desks that day in October 2018 and soon started getting calls in the middle of the night: the TeleSales app, used to contact customers and take orders, wasnt working among Australian users. Its a critical app for our sales force, and when we looked into this, we discovered theres one account that was used to run the back end of all our TeleSales applications, said Walker. This account, hidden in the data, was being blocked by the legacy authentication policy.
This policy caused the app to break, which took down the sales force for effectively a whole day, considering the time difference and the time it takes to escalate issues. They could not make money for a day, and that was a big deal, Walker noted.
Taking a New Approach
The team was told they couldnt move forward with the policy until they were sure the incident wouldnt happen again. The reality is, we didnt really know what we were doing, said Weinert. They didnt have the data they needed to show where legacy authentication was being used in their environment; more importantly, they didnt have the insight to know what that data really meant. If they had, they would have seen the connection between the TeleSales app, the account behind it, and the hundreds of thousands of people who relied on it.
We knew we needed more data, so we decided to keep a lot more data, said Weinert. The team logged 90 days of sign-in history to identify specific apps using legacy authentication. This timeframe was large enough to give them visibility into apps used on a daily basis and weekly basis; they could also see financial apps only used once per quarter.
They also decided to simulate the legacy authentication policy instead of enforcing it outright. Report-only mode gave the ability to deploy a simulated policy without blocking anything. As a result, users would see we would have blocked this instead of losing app functionality.
Then came the tedious part: the team had to track down individual owners of the apps relying on legacy authentication protocols, work with them to find the API that was prompting them for passwords, and find the modern equivalent of that API to fix it. By March 2019 the policy was enabled for 94% of users, but they still faced several exception requests per week.
This was probably the biggest driver of work for our team, said Walker. Turning off legacy authentication didnt take much time; neither did collecting or analyzing data. Talking to app owners also wasnt time-consuming, but individual requests for rarely used apps took a lot of time. It took about a year to run through exceptions and secure legacy authentication users.
Human processes here are super important, said Walker. He advised IT and security teams to start testing with a small group, preferably their own, to learn the response process before rolling out a policy across the organization. He also encouraged RSAC attendees to start the process of eliminating legacy authentication as soon as possible: Microsoft has seen a ~3,000% increase in attack rate on Microsoft products and services in the past three years. Adopting modern authentication protocols can help defend against password sprays, credential reuse, and other common attack techniques.
Organizations moving to a more secure protocol are getting out of harms way and letting attackers harvest from those who havent, he said.
Related Content:
Cyber Resiliency, Cloud & the Evolving Role of the Firewall
7 Cloud Attack Techniques You Should Worry About
How Enterprises Are Attacking the Cybersecurity Problem - 2019
Out at Sea, With No Way to Navigate: Admiral James Stavridis Talks Cybersecurity
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
Out at Sea, With No Way to Navigate: Admiral James Stavridis Talks Cybersecurity
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How Microsoft Disabled Legacy Authentication Across the Company