Disabling Legacy Authentication Protocols
What are Legacy Protocols?
Legacy protocols are processes that use Basic authentication to connect to email clients, calendars, and web services. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device.
Basic authentication makes it easier for attackers to capture user credentials, increasing the risk of the stolen data being reused. The enforcement of two-factor authentication (2FA) is not simple or in some cases, possible when Basic authentication remains enabled.
Microsoft is disabling legacy protocols on October 1, 2022. These protocols cannot be protected by multi-factor authentication (MFA) or Duo, therefore it is imperative that you not wait to move to other applications before October.
How can I identify if I am using legacy protocols?
A simple way to tell if a software client (for example, Outlook) is using Basic authentication or Modern authentication is to observe the dialog that's presented when the user logs in.
On a mobile device, you'll see a similar web-based page when you authenticate if the device is trying to connect using Modern authentication.
Legacy Protocol Details and Alternatives
There are approximately thirteen protocols that are still used and this website will identify those and help you move to newer applications that use updated protocols.
| Legacy Protocol | Description | What Uses It? | Solutions |
| Exchange ActiveSync and Autodiscover | Used to connect mailboxes to Exchange Online |
|
|
| IMAP | Allows access to email without downloading it to the device. Email is read directly from the email service | Email clients such as Thunderbird and Spark or Outlook and Apple Mail when manually configured | |
| MAPI Over HTTP | Primary mailbox access protocol used by Outlook 2010 SP2 and later | Outlook 2010 and newer email clients on mobile devices | |
| POP | Used by POP email clients that download email to the device | Email clients such as Thunderbird and Spark or Outlook and Apple Mail when manually configured | |
| SMTP Authentication | TCP/IP protocol used to send/forward email; it cannot receive messages | Email clients such as Thunderbird and Spark or Outlook and Apple Mail when manually configured | |
| Exchange Online Powershell | Used to connect to Exchange Online with Remote Powershell | Exchange Online | Use Exchange Online V2 Powershell |
| Exchange Web Services | A programming interface used by Outlook, Outlook for Mac and 3rd-party apps | Third Party applications that do not support OAuth |
|
| Offline Addressbook | Copy of Address list collections that are downloaded and used by Outlook | Outlook email clients | Use Microsoft 365 version of Outlook and remove and add back account choosing 'Microsoft 365' as the account type |
| "Other Clients" (Linux mail clients, custom mail clients, etc) |
Any other protocols identified as utilizing legacy authentication | Application should be up-to-date and added using modern authentication protocol such as 'Microsoft Exchange' or 'Microsoft 365' option | |
| Outlook Anywhere (formerly RPC over HTTP) |
Allows clients using Microsoft Outlook 2007/2010/2013 to connect to Exchange servers outside of corporate network over the internet using remote procedure call (RPC) or HTTP Windows networking component | Outlook 2007/2010/2013 | |
| Reporting Web Services | Used to retrieve report data via Exchange Online | PeopleSoft, Outlook email clients | |
| Universal Outlook | Protocol used by Mail/Calendar app for WIN 10 | Mail/Calendar app for WIN 10 | Remove and re-add account/s to use 'Exchange' or 'Microsoft 365' account types |