IT Connect
Your connection to information technology at the UW

Legacy authentication

“Legacy authentication” is a term Microsoft sometimes uses to describe basic authentication when used with its cloud-based services. This is in contrast with the term “modern authentication” which provides more security and capabilities.

Background

Legacy (or basic) authentication is characterized by:

  • a client or network protocol which is incapable or not configured to do modern authentication
  • a client which sends both the username and password to the application
  • an application using the username and password to get a logon token on behalf of the user

Modern authentication is characterized by:

  • a client and service capable of using OpenID Connect, SAML, and/or OAuth 2.0 for authentication
  • a client and service which can accept redirects to the identity provider for all authentication interactions and can work with authentication tokens of the protocols above

All Microsoft cloud services are modern authentication capable.

So whether legacy or modern authentication is used is dependent on the client capabilities. In many cases, you can update your client application or change to an alternative client application to use modern authentication.

list of known clients using legacy authentication is available. Replacing a client using legacy authentication with a client capable of modern authentication is the action to mitigate legacy authentication.

Relevance

Legacy authentication can not be protected by 2FA. Because the password is known to the application, it is less secure than modern authentication.

At some point in the future, we expect non-modern authentication to be blocked. For example, Microsoft plans to turn most legacy authentication off for Exchange Online in 2021.

Since legacy authentication hinges on the client software used, transitioning off legacy authentication is something best done by IT units in concert with individual users.

For the typical user, the complexity of determining whether you are using legacy authentication is too great. This means it falls to IT units to determine who needs intervention and help individual users to address the transition.

The ability for IT units to recognize which users are using legacy authentication is therefore important.

Reporting

We have published log details about legacy authentication in a CSV file, with data from each day in a separate CSV file. We plan to keep 30 days worth of data. Access to the data is available to current employees for IT support and information security purposes only, upon request via help@uw.edu with a subject line of “Microsoft Infrastructure: Legacy authentication reporting”.

Legacy authentication reports

The following fields are available in these reports:

  • Client application: the individual component within the cloud application service reporting the legacy authentication
  • Sign-in status: whether authentication succeeded or not
  • Mask IP address: the last two octets of the client IP address. The full address has been masked to address privacy concerns.
  • App: the cloud application service reporting the legacy authentication
  • Error code: error codes reported as part of the authentication
  • Operating system: the client platform, if available to the cloud application service
  • Browser: the client application name or information, if available to the cloud application service
  • Country or region: the country of origin for the client
  • State: the state of origin for the client
  • City: the city of origin for the client
  • Time generated: timestamp for the authentication
  • User Principal Name: the fully qualified username
  • User: the display name of the user

Determining the client application is not necessarily straightforward, but this is the best data available.

In most cases, you should be able to leverage the combination of these fields to narrow down the source of legacy authentication to a specific device, then use the list of known clients (in concert with any data in the browser field) to determine which client application needs to be upgraded or replaced on that device.

Another option

If you’d like to block legacy authentication for your users across all Microsoft applications, we can do that. This would be a great option to exercise after you’ve address all existing uses or if you’ve identified that certain users have no legacy authentication–it will prevent new uses from emerging after you’ve done the hard work of tracking down and addressing the existing uses. Do note that you’ll need to be prepared to deal with any issues that arise.

Send requests to help@uw.edu with a subject line of: “Microsoft Infrastructure: conditional access block legacy for X” where X is your unit name. Be prepared with a group of the users to block legacy authentication.

Last reviewed April 27, 2020