Microsoft is switching off legacy logins in 2026: the quiet change that could lock out your old apps
Microsoft is disabling legacy authentication and Basic Auth across Entra ID in 2026. Here's how Melbourne businesses get ahead of it without an outage.
Microsoft is closing the old login methods that attackers love most — and in 2026 that change will quietly break some of the everyday apps still using them, unless you find them first.
Sometime this year, an old scanner or accounting plugin in your office is going to stop logging in — and that's Microsoft deliberately shutting a door attackers love. There won't be a dramatic outage or a red warning. One morning the scan-to-email just fails, or a mailbox connector stops syncing, and nobody can say why. The cause is a run of identity changes Microsoft has announced for 2026 across Entra ID (the part of Microsoft 365 that handles sign-ins). The good news: this is genuinely good security being switched on for you. The catch: if you don't get ahead of it, you find out the hard way.
What Microsoft is actually changing
Following the September 2025 deprecation of its old per-protocol MFA and self-service password reset policies, Microsoft has announced a sequence of identity changes rolling out through 2026. The exact dates have moved before and may move again, so treat these as a direction of travel rather than a calendar — and check Microsoft's own Entra and Message Center roadmap for the live dates at the time of writing.
Legacy authentication disablement.
Older sign-in methods that can't do modern multi-factor authentication are being switched off by default across tenants.
Basic Authentication retirement.
The remaining places where a username and password are sent straight to a service — with no MFA in between — are being retired, including legacy mail protocols still used by some devices and add-ins.
MFA enforcement for admins and sign-ins.
Microsoft is forcing multi-factor authentication on administrator and portal access, and broadening enforcement from there.
Continuous Access Evaluation (CAE).
Access tokens get re-checked closer to real time, so a revoked or risky session is cut off faster instead of staying valid for an hour.
Why Microsoft is doing this — the attack it shuts down
Legacy authentication is the open back door behind most password-based attacks. Microsoft publishes that the large majority of password-spray attacks — it cites figures above 99% — and most credential-stuffing attempts rely on legacy authentication, precisely because those old protocols can't enforce MFA. An attacker can throw thousands of stolen or guessed passwords at an old login endpoint and, if just one matches, walk straight in. Close that endpoint and the same attack simply has nowhere to land. So while this change is being forced on you, it removes one of the single biggest causes of account takeover for small and medium businesses. It maps directly to the identity controls in the Essential Eight, which is the baseline we hold Melbourne businesses to.
The quiet breakage: what tends to stop working
The risk isn't to your staff logging into Outlook — modern apps handle this fine. The risk is the older, half-forgotten things wired into your mailboxes and identity. These are exactly the items that disappear from view until they fail.
Multifunction printers and scanners.
The scan-to-email feature on older copiers often authenticates the old way, so scanning to a Microsoft 365 mailbox can stop.
Line-of-business and accounting plugins.
Add-ins that send invoices, statements or reports through your mailbox may rely on Basic Auth under the hood.
Mailbox and CRM connectors.
Older integrations that sync mail, contacts or calendars between systems can lose their connection.
Shared service accounts.
The generic accounts used for alerts, monitoring or automated mail-outs are frequent offenders, because they were set up once years ago and never revisited.
Legacy phones and bespoke apps.
Old handsets and in-house tools that were never updated to modern authentication.
How to get ahead of it without an outage
The whole point is to make this a planned switch you control, not a surprise on a Monday. The work isn't complicated — it's about finding every legacy sign-in before Microsoft does, then fixing or replacing it.
Find what's still using legacy auth.
Entra ID's sign-in logs show exactly which accounts and apps authenticate the old way. That report is the map for everything else.
Trace each one back to a device or app.
Match every legacy sign-in to a real printer, plugin or service account, so nothing gets switched off blind.
Update, reconfigure or replace.
Most devices and apps have a modern-authentication setting or a firmware update; a few genuinely old ones need replacing or a supported workaround.
Roll out MFA properly.
Enforce multi-factor authentication on every account — especially admins and service accounts — using Conditional Access so it's consistent rather than per-app guesswork.
Test before the deadline, not after.
Disable legacy auth for a pilot group, confirm everything still works, then expand. That way the cutover is a non-event.
This is core Microsoft 365 management and identity work, and it's the kind of change that's far easier with someone watching the logs day to day rather than discovering the problem from a frustrated staff member.
Where Key IT fits
For the businesses we look after, this is something we handle as routine identity hygiene rather than a fire drill. We pull the Entra ID sign-in reports, build the inventory of what's still on legacy auth, and work through it device by device so the door closes cleanly. Our in-house 24/7 SOC watches identity signals continuously, so the same password-spray attempts these changes are designed to stop are also being caught and contained in real time. And because the team that runs your help desk is the same team managing your security, when a scanner does need reconfiguring, it's one phone call — not a ticket bounced between vendors. Since 2021, with no lock-in contract, that's the kind of change we'd rather do quietly in advance than clean up afterwards.
Frequently asked questions
What is legacy authentication, in plain English?
It's any older sign-in method that sends your username and password straight to a service without the ability to add multi-factor authentication in front of it. Because there's no second check, it's the method most password-guessing attacks rely on — which is why Microsoft is switching it off. Modern authentication replaces it with a token-based sign-in that supports MFA and Conditional Access.
Will this break Outlook or Teams for my staff?
No. Current versions of Outlook, Teams and the Microsoft 365 apps already use modern authentication. The risk sits with older, behind-the-scenes connections — multifunction scanners, accounting plugins, mailbox connectors and service accounts — that were set up years ago and still authenticate the old way. Those are what to find and fix before the cutover.
When exactly does this happen?
Microsoft has announced these changes for 2026 as part of its Entra ID roadmap, but the specific dates have shifted before and could shift again. Rather than rely on a single day, the safe move is to find and remove your legacy sign-ins now, so whenever the switch flips, nothing in your office is depending on it. Check Microsoft's Entra roadmap and Message Center for the current dates at the time of writing.
How do I find out if anything in my business is affected?
Your Entra ID sign-in logs will show which accounts and apps are still authenticating the old way. Reviewing that report, then tracing each result back to a real device or plugin, tells you exactly what needs attention. If you'd like that done for you, a quick review of your tenant will surface the lot.
Related Key IT services
More insights
Microsoft 365 plans compared
Business Basic, Standard or Premium? A clear comparison of Microsoft 365 plans for Melbourne…
Read article →Microsoft 3658 Microsoft 365 time-savers
Practical Microsoft 365 features most people miss — from Teams shortcuts to Outlook rules — that…
Read article →RansomwareAustralia's 72-hour ransomware reporting rule
Pay a ransom in Australia and you have 72 hours to report it. From Jan 2026 enforcement applies…
Read article →Book your free IT & Cyber Security Review
See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.