What are Blocked Legacy Authentication Alerts
Block Legacy Authentication alerts monitor for degradation in an M365 environment's Legacy Authentications posture.
Set-up Alert
Navigate to Secure > Alerts > Settings
Why should I monitor Blocked Legacy Authentications
Legacy Authentication services allow accounts to completely bypass the additional security added by MFA, since these services do not understand MFA protocols. As such, this creates a vulnerability for these accounts, since 99.9% of cyberattacks can be prevented simply by enabling MFA, as per Microsoft. Ensuring users can't use legacy authentication protocols doesn't allow hackers to undermine your MFA posture.
Alert Logic
Hardcoded logic based on the following:
Logic is not evaluated at the time the integration/feature enablement. We don't want to hammer your inbox with notifications for nothing
Daily comparisons evaluated(previous days record at scan time vs new record at scan time)
For a given user, alert is sent if a previous days record was compliant (Legacy Authentications were disabled) and the new record is non-compliant (Legacy Authentications are enabled).
When a new user is added to the environment without Legacy Authentication being blocked, a notification will not be generated, as that is their baseline state. This avoids unnecessary notifications for things like Service Accounts.
Email Notification Layout
Subject; Block Legacy Authentication Enabled Alert for <company name>
Tenant: <company name>
Discovered on: yyyy-mm-dd
Legacy Authentication was previously blocked, and is now enabled for the below account(s).
===========
Name: <user1>
Email: <email1>
Previous State: Enabled (yyyy-mm-dd)
Current State: Disabled (yyyy-mm-dd)
Name: <user2>
Email: <email2>
Previous State: Enabled (yyyy-mm-dd)
Current State: Disabled (yyyy-mm-dd)