Disabling Legacy Authentication Protocols - University of Houston
Skip to main content

What are Legacy Protocols?

Legacy protocols are processes that use Basic authentication to connect to email clients, calendars, and web services. Basic authentication simply means the application sends a username and password with every request, and those credentials are also often stored or saved on the device.  

Basic authentication makes it easier for attackers to capture user credentials, increasing the risk of the stolen data being reused. The enforcement of two-factor authentication (2FA) is not simple or in some cases, possible when Basic authentication remains enabled.

Microsoft is disabling legacy protocols on October 1, 2022. These protocols cannot be protected by multi-factor authentication (MFA) or Duo, therefore it is imperative that you not wait to move to other applications before October.

How can I identify if I am using legacy protocols?

A simple way to tell if a software client (for example, Outlook) is using Basic authentication or Modern authentication is to observe the dialog that's presented when the user logs in.

Modern Authentication - Web-based Login Page Legacy Authentication - Dialog Credential Window

On a mobile device, you'll see a similar web-based page when you authenticate if the device is trying to connect using Modern authentication.

Legacy Protocol Details and Alternatives

There are approximately thirteen protocols that are still used and this website will identify those and help you move to newer applications that use updated protocols.

Legacy Protocol Description What Uses It? Solutions
Exchange ActiveSync and Autodiscover Used to connect mailboxes to Exchange Online
  • Windows Mail
  • Calendar and email clients on mobile devices, Mac OS
IMAP Allows access to email without downloading it to the device. Email is read directly from the email service Email clients such as Thunderbird and Spark or Outlook and Apple Mail when manually configured
MAPI Over HTTP Primary mailbox access protocol used by Outlook 2010 SP2 and later Outlook 2010 and newer email clients on mobile devices
POP Used by POP email clients that download email to the device Email clients such as Thunderbird and Spark or Outlook and Apple Mail when manually configured
SMTP Authentication TCP/IP protocol used to send/forward email; it cannot receive messages Email clients such as Thunderbird and Spark or Outlook and Apple Mail when manually configured
Exchange Online Powershell Used to connect to Exchange Online with Remote Powershell Exchange Online Use Exchange Online V2 Powershell
Exchange Web Services A programming interface used by Outlook, Outlook for Mac and 3rd-party apps Third Party applications that do not support OAuth
Offline Addressbook Copy of Address list collections that are downloaded and used by Outlook Outlook email clients Use Microsoft 365 version of Outlook and remove and add back account choosing 'Microsoft 365' as the account type
"Other Clients"
(Linux mail clients, custom mail clients, etc)
Any other protocols identified as utilizing legacy authentication   Application should be up-to-date and added using modern authentication protocol such as 'Microsoft Exchange' or 'Microsoft 365' option
Outlook Anywhere
(formerly RPC over HTTP)
Allows clients using Microsoft Outlook 2007/2010/2013 to connect to Exchange servers outside of corporate network over the internet using remote procedure call (RPC) or HTTP Windows networking component Outlook 2007/2010/2013
Reporting Web Services Used to retrieve report data via Exchange Online PeopleSoft, Outlook email clients
Universal Outlook Protocol used by Mail/Calendar app for WIN 10 Mail/Calendar app for WIN 10 Remove and re-add account/s to use 'Exchange' or 'Microsoft 365' account types