KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Connections Affected By The Blocking Legacy Authentication Enforcement Expected By July 2025

Query

**Detecting connections affected by the Blocking Legacy Authentication enforcement expected by July 2025**

Beginning in July, access to services like SharePoint, OneDrive, and Office files using outdated authentication methods—such as RPS and FPRPC—will be blocked, with full implementation expected by August. This change is part of Microsoft’s broader strategy under the Secure Future Initiative (SFI), which promotes a “Secure by Default” approach to help organizations maintain a strong baseline of protection.
The following KQL queries will help you to detect remaining connections using the legacy authentication methods


```
AADSignInEventsBeta
| where ErrorCode == "0"
| where Timestamp > ago(7d)
| where ClientAppUsed in ("Exchange ActiveSync", "Exchange Web Services", "AutoDiscover", "Unknown", "POP3", "IMAP4", "Other clients", "Authenticated SMTP", "MAPI Over HTTP", "Offline Address Book")
 or UserAgent in("BAV2ROPC", "CBAinPROD", "CBAinTAR", "MSRPC")
| summarize by AccountDisplayName, IPAddress, AccountUpn, ClientAppUsed, UserAgent
```

Explanation

This KQL query is designed to identify any connections to Microsoft services that are still using outdated authentication methods, which will be blocked starting in July 2025. Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from the AADSignInEventsBeta table, which contains sign-in event logs.

  2. Error Filtering: It filters out any events that have an error code other than "0", meaning it only considers successful sign-ins.

  3. Time Frame: It looks at sign-in events from the past 7 days.

  4. Legacy Authentication Detection: It checks if the sign-ins used any of the specified legacy authentication methods or user agents. These include methods like "Exchange ActiveSync", "POP3", "IMAP4", and user agents like "BAV2ROPC".

  5. Summarization: It groups the results by user account details and connection information, such as the account display name, IP address, user principal name (UPN), client application used, and user agent.

The purpose of this query is to help organizations identify and address any remaining use of legacy authentication methods before they are blocked, ensuring compliance with Microsoft's "Secure by Default" initiative.

Details

Sergio Albea profile picture

Sergio Albea

Released: June 23, 2025

Tables

AADSignInEventsBeta

Keywords

AADSignInEventsBetaAccountDisplayNameIPAddressAccountUpnClientAppUsedUserAgentTimestampErrorCode

Operators

|where==>ago()inorsummarize by

Actions