Legacy authentication refers to older sign-in methods that often cannot enforce modern MFA challenges the way interactive browser/app auth can. Attackers still spray credentials against these endpoints.
Why it matters
If legacy auth is allowed, a stolen password may still work even when “MFA is on” for modern clients.
How to approach blocking it
- Identify which apps still use legacy protocols (mail clients, line-of-business tools)
- Upgrade or reconfigure those apps
- Block legacy auth with Conditional Access once clear
Want this applied in your tenant?
Book a free 15-minute review. We can walk your Microsoft 365 and identity posture and recommend a sensible next step—including ImpetraInsights™ when a formal baseline helps.