We want legacy authentication fully off in Microsoft 365
Legacy auth (IMAP, POP3, SMTP-AUTH, autodiscover-basic) does not support MFA. As long as it is on, your MFA policy is not what it looks like. Microsoft has turned much basic-auth off, but per-mailbox SMTP-AUTH can still be enabled.
Try this first
- 1Build a Conditional Access policy Block Legacy Authentication: all users, all apps, condition Client App = Other clients and Exchange ActiveSync, action Block. Start in Report-only.
- 2Run 14 days in Report-only and check which accounts try legacy. Often there are printers (scan-to-mail), service accounts, and old line-of-business apps.
- 3For printers: switch to SMTP relay through an internal mail relay (like a local SMTP server) or move to Graph-based scan-to-mail. The printer keeps working without legacy auth on the account.
- 4For service accounts: migrate to OAuth app-only permissions or a service principal with a certificate. No more password-based IMAP.
- 5Flip the policy to Block. Track all helpdesk tickets the first week, there is often an undocumented process in there.
When to bring us in
If an ERP, CRM or industry application only works through SMTP-AUTH with a password and the vendor offers no alternative, demand a roadmap with a date. No roadmap, that is a vendor risk the board should see, not only IT.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.