Allowing legacy authentication to your SharePoint online tenant unnecessarily exposes it to a number of attacks and exploits that you can easily avoid by simply disabling legacy authentication to your tenant. Microsoft has made it clear that all roads lead to the cloud, and with that Azure Active Directory has become an even more critical piece as the identity provider to O365. Microsoft has introduced a number of security-focused features into its cloud platform over the last couple of years which all depend on using modern authentication.
To be clear, I’m talking about Azure Active Directory’s conditional access under the new Azure Resource Manager model. Azure AD’s conditional access does not support legacy authentication methods which means that moving forward legacy authentication, in general, will be less and less supported within O365. In the past, this wasn’t as much of an issue as legacy authentication was the only type of authentication, but now all new development changes with conditional access leverage modern authentication exclusively.
There are two types of authentication in Office 365: Legacy authentication and Modern authentication.
Originally, legacy authentication was the only form of authentication in O365. Legacy authentication leverages HTTP Basic Authentication where credentials are passed in the form of a username and password. Relying on just a password is a bad idea for a variety of reasons, they are often easy to guess and passwords are also vulnerable to attacks like phishing and password spraying.
Aside from the known exploits, the other major issue with legacy authentication is that Microsoft has announced discontinued support for most legacy clients. So relying on legacy authentication simply won’t be an option after October 13th, 2020 so aside from the security implications- it’s best to get ahead of this before you’re forced to anyway.
For the sake of comparison, the primary concern with legacy authentication is that it’s performed against the service whereas modern authentication is performed against the identity provider.
Let’s consider the following scenarios:
Result:
Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0 which support multi-factor authentication and interactive sign-in. This is why nearly 100% of password spray attacks target legacy authentication principals which do not support interactive sign-in. Interactive sign-in is required for additional security challenges like MFA and device authentication.
Disable legacy authentication on your SharePoint Online tenant. Once this is configured you can enforce stricter rules around conditional access policies like interactive sign-in which will drastically improve your security posture with minimal impact or effort.
How to disable legacy authentication:
Use PowerShell
Run the following commands to determine your current authentication protocol:
Get-SPOTenant and Connect-SPOService -Url –https://<tenant>-admin.sharepoint.com
#Replace <Tenant> with your tenant’s name#
Get-SPOTenant
Check the property “LegacyAuthProtocolsEnabled” – if this is set to true then legacy authentication is enabled and we will want to set this to false.
Run the following commands to disable Legacy authentication to your SharePoint tenant:
Connect-SPOService -Url –https://<tenant>-admin.sharepoint.com
Set-SPOTenant –LegacyAuthProtocolsEnabled $false
Switching completely to Modern authentication and disabling basic (even without implementing MFA) is a major improvement to security. Modern authentication is not subject to the same types of attacks and exploits that are possible with Basic authentication and legacy authentication is already scheduled to go end of life on October 13th, 2020.
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Adopting a Data Access Governance strategy will help any organization achieve stronger security and control over their unstructured data. Use this free guide to help choose the best available solution available today!
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply