IT Connect
Your connection to information technology at the UW

Legacy authentication

“Legacy authentication” is a term Microsoft sometimes uses to describe basic authentication when used with its cloud-based services. This is in contrast with the term “modern authentication” which provides more security and capabilities.


Legacy (or basic) authentication is characterized by:

  • a client or network protocol which is incapable or not configured to do modern authentication
  • a client which sends both the username and password to the application
  • an application using the username and password to get a logon token on behalf of the user

Modern authentication is characterized by:

  • a client and service capable of using OpenID Connect, SAML, and/or OAuth 2.0 for authentication
  • a client and service which can accept redirects to the identity provider for all authentication interactions and can work with authentication tokens of the protocols above

All Microsoft cloud services are modern authentication capable.

So whether legacy or modern authentication is used is dependent on the client capabilities. In many cases, you can update your client application or change to an alternative client application to use modern authentication.

list of known clients using legacy authentication is available. Replacing a client using legacy authentication with a client capable of modern authentication is the action to mitigate legacy authentication.


Legacy authentication can not be protected by 2FA. Because the password is known to the application, it is less secure than modern authentication. If legacy authentication is not blocked for your account, 3rd party applications can ask for your credentials and have your password without you being aware they do.

At some point in the future, we expect non-modern authentication to be blocked. For example, Microsoft plans to turn most legacy authentication off for Exchange Online in 2022.

How do I address my use of legacy authentication?

Since legacy authentication hinges on the client software used, transitioning off legacy authentication requires the individual user to change the client software they are using. This may require IT units to assist the user.

For the typical user, the complexity of determining whether you are using legacy authentication is significant. If you are using one of the client applications known to not use modern authentication protocols, then you should replace them. If you don’t have one of these client applications but still suspect you have legacy authentication, involving your IT unit can help.

What client applications are known to not use modern authentication protocols?

This list is not intended to be comprehensive; it is only a list of known client applications. If you have one which should be added, please let us know.

  • Outlook 2013 without special settings enabled (we recommend you upgrade)
  • Outlook 2010 or earlier
  • Mac Mail on Mac OS 10.13 or earlier
  • Thunderbird
  • Eudora
  • Pine
  • Android Touchdown
  • Android BlueMail
  • Any client application on iPhone 5 and lower (can use browsers to OWA)
  • Any client application on iPad 4th generation and lower (can use browsers to OWA)
  • Mail on iOS 10 or lower
  • Any client application on Chromebooks (can use browsers to OWA)
  • Most IMAP4 or POP3 clients
  • Exchange Online PowerShell module


We have published log details about legacy authentication in a CSV file, with data from each day in a separate CSV file. We plan to keep 30 days worth of data. Employees of UW-IT and all OU administrators have access–access to the data is available to current employees for IT support and information security purposes only. Other IT staff can request access via with a subject line of “Microsoft Infrastructure: Legacy authentication reporting”.

Legacy authentication reports

The following fields are available in these reports:

  • Client application: the individual component within the cloud application service reporting the legacy authentication
  • Sign-in status: whether authentication succeeded or not
  • Mask IP address: the last two octets of the client IP address. The full address has been masked to address privacy concerns.
  • App: the cloud application service reporting the legacy authentication
  • Error code: error codes reported as part of the authentication
  • Operating system: the client platform, if available to the cloud application service
  • Browser: the client application name or information, if available to the cloud application service
  • Country or region: the country of origin for the client
  • State: the state of origin for the client
  • City: the city of origin for the client
  • Time generated: timestamp for the authentication
  • User Principal Name: the fully qualified username
  • User: the display name of the user

Determining the client application is not necessarily straightforward, but this is the best data available.

In most cases, you should be able to leverage the combination of these fields to narrow down the source of legacy authentication to a specific device, then use the list of known clients (in concert with any data in the browser field) to determine which client application needs to be upgraded or replaced on that device.

Turning it off

If you’d like to block legacy authentication across all Microsoft applications, we can do that. This would be a great option to exercise after you’ve addressed all existing uses or if you’ve identified that certain users have no legacy authentication–it will prevent new uses from emerging after you’ve done the hard work of tracking down and addressing the existing uses. Do note that you’ll need to be prepared to deal with any issues that arise.

To block legacy authentication, anyone with a personal UW NetID can join (and unjoin) this group: After joining the group, you’ll need to wait for Azure AD Connect to synchronize the group to Azure AD which could be up to an hour. Any sign in after that should not permit legacy authentication.

If you have another type of UW NetID you’d like to opt-in, you’ll need to request it via UW-IT. Send requests to with a subject line of: “Microsoft Infrastructure: conditional access block legacy for X” where X is your unit name. Be prepared with a group of the users to block legacy authentication.

Last reviewed May 13, 2021