Over the past few months, Microsoft has quietly enforced a series of security changes across Microsoft 365 tenants. While these changes are designed to reduce cyber risk, they've also caused unexpected outages in many Australian businesses, particularly where legacy systems are still in use.
If your organisation relies on older applications, scan-to-email, SMTP relays, or service accounts that "have always just worked", you may already be impacted â or about to be.
What Changed in Microsoft 365?
Microsoft has been progressively tightening security across all tenants, including:
- Enforced Security Defaults
- Expanded mandatory multi-factor authentication (MFA)
- Blocking of legacy authentication protocols
- Stricter enforcement of Conditional Access policies
- Deprecation of insecure authentication methods in Exchange Online
These changes are no longer optional. In many cases, they are being enabled automatically or enforced as part of standard tenant updates.
From Microsoft's perspective, this is necessary. From a business perspective, it's breaking things.
When Did These Changes Start?
Microsoft's move away from legacy authentication has been underway for several years, but enforcement has accelerated significantly in the last 12â18 months.
- 2022 â Microsoft formally deprecated legacy authentication and disabled it by default for new Microsoft 365 tenants.
- October 2024 â Microsoft began enforcing mandatory multi-factor authentication (MFA) for all administrative accounts, with staged rollouts continuing into 2025.
- Late 2024 to 2025 â Increased enforcement of Security Defaults, Conditional Access baseline policies, and authentication controls across existing tenants.
Many organisations are only feeling the impact now because legacy systems were previously tolerated until enforcement thresholds tightened.
Microsoft has been clear that legacy authentication is no longer considered secure and will continue to be restricted across Microsoft 365 services.
What's Breaking in Real-World Environments
We're seeing the same issues repeatedly across SME and mid-market environments.
Scan-to-Email and Multifunction Printers
Many copiers and scanners still rely on:
- Basic SMTP authentication
- Shared mailbox credentials
- No MFA capability
When legacy authentication is blocked, scan-to-email stops working â often without a clear error message.
Legacy Applications and Line-of-Business Systems
Older applications that:
- Authenticate directly to Exchange Online or Azure AD
- Use stored usernames and passwords
- Don't support modern OAuth authentication
These applications frequently fail once modern authentication is enforced.
Service Accounts and Automation Scripts
Scheduled tasks, scripts, integrations and monitoring tools often use:
- Hardcoded credentials
- Non-interactive logins
- Accounts excluded from MFA "temporarily"
These exclusions are increasingly unsafe and harder to justify.
Third-Party Systems Sending Email via M365
CRMs, accounting platforms, alerting systems and building management tools often send email through Microsoft 365. If they haven't been updated to support modern authentication, they are at risk.
Why This Is Happening Now
Microsoft guidance references: [1] Deprecation of Basic Authentication in Exchange Online â https://learn.microsoft.com/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online [2] Security Defaults in Microsoft Entra ID â https://learn.microsoft.com/entra/fundamentals/security-defaults [3] Mandatory MFA for Azure / Entra Administrator Roles â https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access
This isn't a bug or a temporary issue â it's a deliberate security strategy.
Microsoft is responding to:
- Credential theft being the primary breach vector
- Increasing cyber insurance and compliance requirements
- Widespread abuse of legacy authentication by attackers
Legacy authentication is no longer considered defensible, and Microsoft is removing it whether businesses are ready or not.
The Risk of Quick Fixes
The most common response we see is:
"Just turn it back on so it works."
This creates serious risk:
- Re-enabling legacy authentication reopens known attack paths
- MFA exclusions weaken the entire tenant
- Cyber insurance eligibility may be impacted
- Compliance posture deteriorates
Short-term fixes often create long-term security debt.
What Businesses Should Be Doing Instead
A controlled, planned approach avoids outages and improves security.
Audit Authentication Usage
Identify:
- Devices, apps and accounts using legacy authentication
- SMTP relays and shared credentials
- Business-critical dependencies
Modernise Legacy Workflows
Examples include:
- Authenticated SMTP relays with IP restrictions
- Migrating applications to OAuth or supported APIs
- Replacing unsupported devices where necessary
Secure Service Accounts Properly
- Eliminate shared credentials
- Use managed identities or app registrations
- Apply least-privilege access principles
Review Conditional Access Policies
Policies should protect users without disrupting legitimate business processes.
Why This Matters Beyond "Things Working"
These changes directly affect:
- Cyber insurance eligibility
- Essential Eight maturity levels
- Audit and compliance outcomes
- Blast radius in the event of compromise
This is not just an IT inconvenience â it's a business risk issue.
How Vee Tech Helps
Vee Tech works with Australian businesses to:
- Identify legacy authentication dependencies using structured tenant reviews
- Reduce the risk of unplanned outages caused by security enforcement changes
- Modernise Microsoft 365 tenants in line with Microsoft and ACSC guidance
- Align identity, access, and authentication controls with Essential Eight and cyber insurance expectations
Where required, remediation is planned and staged to minimise business disruption while improving security posture.
Timeline Concept for Future Reference
For organisations planning remediation or executive reporting, a simple timeline model can be effective:
- Legacy tolerated â Systems operate but rely on insecure authentication
- Deprecation announced â Vendor guidance issued, low urgency
- Enforcement begins â Security defaults and MFA requirements applied
- Operational impact â Legacy systems fail or behave unpredictably
- Modernisation completed â Secure authentication restored, risk reduced
This timeline helps boards and stakeholders understand that recent outages are the result of long-signalled changes, not sudden platform instability.
If you're unsure whether your Microsoft 365 environment is exposed to upcoming enforcement changes â or you've already experienced service disruption â now is the appropriate time to address it in a controlled and defensible manner.
A targeted Microsoft 365 security and authentication review can identify exposure, remediation options, and risk priorities before outages or compliance issues occur.
Vee Tech works with Australian businesses to:
- Identify legacy authentication dependencies
- Prevent unexpected Microsoft 365 outages
- Modernise tenants securely
- Align Microsoft 365 security with Essential Eight and best practice
If you're unsure whether your Microsoft 365 environment is at risk â or something has already stopped working â now is the right time to address it properly.
A targeted Microsoft 365 security and authentication review can surface these issues before they become outages or incidents.