Basic Authentication is an older login method commonly used in protocols such as POP, IMAP, and SMTP AUTH. It primarily transmits usernames and passwords to applications in plaintext.
While this legacy authentication method has been the industry standard for years, it is considered insecure by today’s standards.
According to Microsoft’s analysis, Basic Authentication can significantly increase a system’s risk of brute force and password spray attacks. More importantly, it makes enforcing advanced security protocols like Multifactor Authentication (MFA) difficult or worse, impossible.
That said, Microsoft recommends blocking legacy authentication protocols entirely.
In this guide, we’ll explore the different methods you can use to disable legacy authentication in Microsoft Office 365.
A comprehensive guide to disabling legacy authentication protocols in Office 365
📌 Prerequisites:
- Microsoft 365 Setup: You must be working within a Microsoft 365 tenant with Exchange Online.
- Admin Rights: You must have global administrator, security administrator, or conditional access administrator rights.
- Licensing for Conditional Access: While you can configure Conditional Access with basic licensing, it’s recommended you have Microsoft Entra (formerly Azure AD) P1 or P2 to unlock advanced security features.
- Client Compatibility: Your clients or users must support OAuth 2.0, meaning they must be using Outlook 2016 or Microsoft 365 apps for enterprise.
📌 Recommended deployment strategies:
💡Note: Starting January 2023, Microsoft has disabled Basic Authentication in Exchange Online for several protocols, including Outlook, Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Office Address Book (OAB), and Autodiscover.
Method 1: Using Microsoft 365 Admin Center (GUI)
📌 Use Case: This method affects all users in the tenant and can be configured to override per-user settings.
- Sign in to the Microsoft 365 Admin Center.
- Navigate to Settings > Org settings > Modern Authentication.
- Uncheck the following boxes to disable legacy authentication protocols, such as:
- IMAP
- POP
- SMTP AUTH
- MAPI
- Exchange Web Services (EWS)
- Exchange ActiveSync
- Click Save to apply the changes.
Method 2: Using Microsoft Entra Conditional Access
📌 Use Case: This method is ideal for enterprises with Microsoft Entra P1/P2 licenses. It allows you to block legacy authentication while allowing modern authentication apps to function.
- Go to Entra Admin Center (formerly Azure AD).
- Navigate to Security > Conditional Access.
- Click + New policy.
- Assign users/groups to the target.
- Under Cloud apps, select All cloud apps.
- In Conditions > Client Apps, include Other clients (legacy protocols).
- Under Access controls > Grant, choose Block access.
- Enable policy and click Create.
Method 3: Using PowerShell (per-user and tenant-level)
📌 Use Case: This approach allows you to manage legacy authentication protocols at both the user and enterprise levels. It’s best for scripting bulk configurations, auditing legacy auth usage, and customizing mailbox settings.
A. Connect to Exchange Online PowerShell
Connect-ExchangeOnline -UserPrincipalName [email protected]
B. Disable legacy auth for individual protocols
Set-CASMailbox [email protected] -PopEnabled $false -ImapEnabled
$false -MAPIEnabled $false -ActiveSyncEnabled $false -SmtpClientAuthenticationDisabled $true
C. Block legacy protocols globally (service-level settings)
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
D. Audit users still using legacy auth
Get-SignInLogs | where {$_.ClientAppUsed -in
@(“POP”, “IMAP”, “SMTP”, “MAPI”, “EWS”)}
💡 Note: Sign-in logs require Microsoft Entra P1 or P2 licensing.
Method 4: Using Registry Editor (disable Basic Auth in Office 365)
📌 Use Case: This method is best for blocking legacy authentication on a single device.
A. To enforce modern authentication on the client side (e.g., Outlook):
- Press Win + R, type regedit, and press Enter.
- Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Exchange
- Create or update: AlwaysUseMSOAuthForAutoDiscover (DWORD): 1
- Also check:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity- EnableADAL (DWORD): 1
- Version (DWORD): 1
- Restart Outlook to apply the changes.
These settings will force the client to use modern authentication and prevent fallback to basic auth.
⚠️ Warning: Misconfiguring the registry can cause system instability. Proceed with caution and back up the registry before making any changes.
Method 5: Using Command Prompt (Status Check and Troubleshooting)
📌 Use Case: These commands allow you to verify legacy auth behavior and check protocol accessibility during troubleshooting. It’s also useful for checking if legacy ports are still working.
A. Verify Outlook authentication type (via Tasklist)
tasklist /m | findstr auth
B. Trigger office repair (may force registry-based auth switch):
control appwiz.cpl
C. Check network-level protocol access:
telnet outlook.office365.com 143
telnet smtp.office365.com 587
💡 Note: Command Prompt itself cannot disable authentication protocols, but you can use it to verify their status.
Method 6: Using Group Policy (Client-side Enforcement)
📌 Use Case: This method blocks basic authentication and forces modern authentication in all Office 365 clients. It’s recommended for organizations using Active Directory that need consistent client-side policy enforcement.
- Open Group Policy Management Console (GPMC).
- Navigate to: User Configuration > Administrative Templates > Microsoft Outlook 2016 > Account Settings > Exchange.
- Enable the following settings:
- Enable modern authentication.
- Disallow basic authentication.
- Disable Exchange cached mode fallback to basic authentication.
- Deploy GPO using Active Directory or NinjaOne’s automation engine.
- Force policy update: gpupdate /force
Additional considerations when disabling legacy authentication in Microsoft 365
Here are a few more things you need to consider when disabling legacy authentication in Office 365:
- App Passwords: If multi-factor authentication (MFA) is enabled, legacy clients may still use app passwords. However, this login method has also been deprecated and should be disabled.
- SMTP AUTH Exceptions: You can use PowerShell to allow SMTP AUTH for specific service accounts.
- User Communication: Before disabling legacy authentication protocols, you should notify users in advance to prevent disrupting mail flow.
⚠️ Things to look out for
Keep these pitfalls in mind when using our guide:
| Risks | Potential consequences | Reversal |
| Misconfigured policies in Entra Admin Center | May block legitimate access and other critical services | Disable or modify the Conditional Access policy in Entra Admin Center. |
| Incorrect syntax in scripts | Manual errors in scripting can cause service disruptions. | Check the syntax of your script or command before running the scripts. |
| Incorrect registry keys | May cause Outlook to fail or lead to system instability | Back up your registry before making any changes. |
| GPO misconfiguration | Outlook clients may fail to authenticate or revert to basic authentication if fallback is allowed. | Edit or remove the GPO, then run gpupdate /force to apply the changes. |
Troubleshooting tips for disabling legacy authentication
- Users connecting via legacy protocol: If a user is still connecting via legacy protocol, check Exchange Online sign-in logs to identify which user is still using outdated authentication methods.
- Outlook prompts for password repeatedly: Confirm if the registry and GPO settings enforce OAuth.
- SMTP AUTH fails for automated senders: Only add exceptions if absolutely necessary.
- Enforcement delays: Allow up to 24 hours for some Microsoft 365 settings to take effect.
Why should you block legacy authentication?
While Basic Authentication is easy to implement, it has several security limitations that make it an easy target for sophisticated hackers.
For instance, it doesn’t support modern security features like multi-factor authentication (MFA), which is one of the most effective security measures for preventing unauthorized access.
It also doesn’t use encryption to transmit credentials, meaning they can easily be intercepted and read if they are not sent over HTTPS.
More importantly, it doesn’t have the functionalities required to limit the grades of access permission on applications. One set of credentials alone can open up multiple data access points.
Without additional security layers in place, attackers only need a valid username and password to steal vital data and information.
NinjaOne services for strengthening authentication controls
NinjaOne provides MSPs and system admins with tools to simplify policy enforcement and strengthen authentication controls in distributed environments.
| NinjaOne Service | What it is | How it helps |
| PowerShell Script Deployment | Uses PowerShell scripts to push mailbox configurations and registry changes remotely at scale. | It allows system admins to remotely push Set-CASMailbox and registry changes across multiple endpoints simultaneously. |
| Group Policy Enforcement | Automates the rollout of security settings, such as disabling authentication protocols, across domain-joined devices. | It helps ensure consistent authentication policies across all endpoints. |
| Device Auditing | Monitors which endpoints are still using outdated or insecure authentication protocols. | It helps IT teams keep track of non-compliant devices and empowers them to act. |
| Alerting | Notifies MSPs and system administrators of any basic authentication attempts or when crucial configurations are made. | It enables system administrators to respond to potential threats or policy violations proactively. |
| Inventory reporting | Identifies which endpoints support modern authentication and which still rely on legacy protocols. | It provides useful insights for planning upgrades and other remediation efforts. |
Using NinjaOne with Microsoft 365 provides you with a fully automated, scalable, and compliant approach to disabling legacy authentication while maintaining productivity.
Mitigate critical risks by disabling outdated legacy authentication protocols in Microsoft 365
In today’s high-risk digital landscape, disabling legacy authentication protocols is no longer an option, but a must. It’s a vital step in strengthening your organization’s security posture.
As cyber threats continue to evolve, the demand for secure and future-ready authentication strategies will only increase.
Disabling legacy protocols like Basic Authentication in Microsoft 365 is the first step to adopting stronger, more modern authentication methods. It sets the foundation for building robust cybersecurity policies.
Related topics:
- What Is Modern Authentication?
- What is Credential Management? Definition & Best Practices
- How to Ensure Modern Authentication is Enabled in Office 365 with PowerShell
- How to Set Up Multi-Factor Authentication (MFA) in Office 365
- How to Backup Microsoft 365 Exchange Online
Quick-Start Guide
NinjaOne supports configuring SSO with Azure AD for Line-of-Business Apps. Specifically:
- NinjaOne offers SAML/SSO configuration with Azure AD
- The process involves creating an Enterprise Application in Azure AD
- You can set up Single Sign-On (SSO) with Azure Active Directory
- The configuration allows for:
- Mapping user attributes
- Configuring group mappings
- Enabling conditional MFA bypass
- Supporting technician and end-user accounts
Key steps include:
- Create an Enterprise Application in Azure AD
- Configure SAML settings
- Map user attributes and roles
- Set up group mappings
- Optionally configure MFA bypass
The documentation provides detailed guidance on setting up SSO, including specific instructions for Azure AD integration. Administrators can enable SSO for both technicians and end-users with granular control over access and authentication.
