Microsolve Business IT Insights

Why Legacy Login Is a Risk Healthcare Can’t Afford in Microsoft 365

Written by Dale Jenkins | 14 June 2026 9:45:00 PM

Modern authentication is not a future upgrade. It is a baseline requirement for any healthcare organisation using Microsoft 365 today.

If legacy login (think simple username + password only) methods are still active in your environment, you are exposed - not theoretically, in a real world way that attackers can and do actively exploit every day.

Why Healthcare is Being Targeted

In the past 5 years Healthcare organisations have become prime targets for credential-based attacks.

The reason is simple: these Organisations store large volumes of high-value data, their teams are always busy, and most have complex systems that are operated in a way that improves speed at the expense of protection.

Microsoft 365 now sits at the centre of the daily operations of many of the most targeted Organisations. Email, Teams, clinical systems, rostering, and document management all rely on it. The challenge is that in many environments, older authentication methods are still enabled beneath the surface as the complexity in addressing this is above and beyond what can be managed in the day to day.

System interfaces such as the below have a very high prevalence of legacy credentials ripe for the picking:
  • IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) email access
  • Older Office versions (especially those bought through OEM programs with the hardware)
  • Legacy integration and scripts
  • Multi-function devices sending email

These system interfaces do not support modern protections like Multi-Factor Authentication (MFA) or certificate backed OAuth.

Microsoft's cyber collection data makes the risk clear:
  • Over 97% of credential stuffing attacks use legacy authentication
  • More than 99% of password spray attacks rely on it

So even if MFA is enabled, threat actors can simply go around it. Imagine a fence with a panel missing, it looks great from a distance to deter trespassers, but once you get closer you can see it offers no real protection.

In a healthcare setting, that can mean unauthorised access to patient communications, sensitive records, or internal systems often without triggering alerts.

What Modern Authentication Fixes

Modern authentication is not just about Multi-factor Authentication and challenge keys - it is a series of fundamental adjustments on how "trust" is measured and this contributes to system access and permissions.

In the M365 world, instead of passing usernames and passwords between systems, authentication is handled centrally through Microsoft EntraID - EntraID establishes a trust relationship with both devices and individuals and using various combinations of meta-data and security actions (like login, location, device type, time of day and activity history) decides what level of trust should be assigned to a transaction/session before access is granted.

This allows for the conditional and rules based enforcement of :

  • Multi-factor authentication across all users
  • Access policies based on risk, location, and device
  • Session controls for shared or clinical workstations
  • Visibility into every sign-in attempt

Access is granted using secure, time-limited tokens and not reusable credentials.
In practice, this gives healthcare organisations something they often lack: consistent control. For example, a clinician logging in from a managed device inside a facility may have seamless access. The same login attempt from an unmanaged device overseas can be blocked or challenged instantly.

Same user. Different context. Controlled outcome.

Operationally, You Cannot Break Workflows!

Here is the challenge. Healthcare environments are not standard office setups.

You are dealing with:
  • Shared workstations
  • Shift-based staff
  • Time-critical access to systems
  • A mix of modern and legacy applications

If authentication changes disrupt access, patient care can be impacted. That is unacceptable and avoidable with a structured, experience-led rollout.

A Practical Roadmap that Works in Healthcare

The goal is simple: improve security without interrupting care. To do that, you need a phased approach.

Phase 1: Understand Your Environment

Start with visibility. Use Microsoft 365 reporting and sign-in logs as a way to identify:

  • Where legacy authentication is being used
  • Which users, devices, and applications are involved
  • Any hidden dependencies (printers, scanners, integrations)

In healthcare, these "hidden" systems are extremely common and can be critical to a functioning environment.

Phase 2: Strengthen Identity Foundations

Enable modern authentication across all services. Enforce MFA for all users (yes, we do mean ALL!) and have stronger controls for staff in roles such as administration and finance, as well as anyone who has remote access.

Next, it's important to design Conditional Access policies that reflect your real workflows and not hypotheticals. This can look like:

  • Allowing trusted devices inside facilities
  • Requiring stricter controls for external access

This is where Microsolve's Managed IT Services and Cyber Security solutions typically come into play as we ensure policies are both secure and practical in clinical environments.

Phase 3: Isolate and Plan for Legacy Systems

Some systems will not support modern authentication immediately (or at all).

Rather than leaving yourself exposed:

  • Segment them on restricted networks
  • Use controlled mail relay instead of direct authentication
  • Apply strict access rules

Alongside these mitigating steps, it's important to build a practical plan to either replace your legacy devices or upgrade them. 

Phase 4: Block Legacy Authentication

Once dependencies are understood and contained:

  • Implement Conditional Access policies to block all legacy protocols
  • Maintain tightly controlled emergency access accounts only
  • Monitor closely for impact

This final phase closes one of the most commonly exploited attack paths in Microsoft 365.

 

Communication is Critical in Clinical Environments 

Technology changes fail when communication is poor. It's easy to get overwhelmed and bogged down trying to understand all the nitty gritty technical details. It's best f you leave that to us, and walk your staff through the things they actually need to know so they have clarity and confidence. Focus on the four big ideas:

  1. What is changing (e.g. MFA prompts)
  2. Why it matters (protecting patient data)
  3. What to expect during a shift
  4. How to get help quickly

Short, role-specific guidance works best. We recommend practices such as:

  • Quick walkthroughs for nurses on shared devices
  • Simple MFA setup guides for admin staff
  • Update onboarding policies to indoctrinate new staff seamlessly

The goal here is minimum disruption with maximum adoption and understanding.

Governance: Stop the Drift Back to Risk

One of the most common issues we see is regression. Legacy authentication gets disabled and then quietly re-enabled a few months later to "fix" a problem. Clear governance sets the standards for your organisation and helps protect your data.

  • MFA is mandatory for every account
  • Legacy authentication remains disabled
  • Only approved apps and devices can connect
  • Exceptions are temporary, documented and tracked

Ownership underpins these standards and can be the make or break of an organisation's governance. Someone MUST be accountable for identity and access. Not "IT" in its general sense, but a defined role with clear responsibility over that access is crucial for its longevity and effectiveness. The person (or partner - you can outsource this to an MSP) should know what "good" looks like, what is currently configured, and what has changed. 

Alongside ownership is the requirement for regular reviews of your policies and practices. Reviews shouldn't be reactive and occur once in a blue moon or when a crisis occurs. They should be built into your operating rhythm. At a minimum this could be:

  • Quarterly reviews of Conditional Access policies and MFA coverage
  • Regular checks of sign-in logs for legacy protocol attempts
  • Validation that no new apps or devices have introduced exceptions
  • Confirmation that any temporary access has been removed

This does not need to be complex, but it does need to be consistent. This is where Microsolve’s ongoing support model adds value by embedding these controls into a broader security and compliance framework, and not just a one-off project. Instead of reacting to issues, your environment is reviewed, tuned, and kept aligned with current threats and best practice.

Monitoring: From Configuration to Protection

Modern authentication gives you better data. Use it.

Regularly review:
  • Sign-in activity
  • Risk detections
  • Conditional Access reports
Look for:
  • Repeated login attempts
  • Unusual locations
  • Attempts using blocked protocols

In healthcare, early detection matters. The faster you identify a compromised account, the lower the impact. Modern authentication reduces attack surface. Monitoring ensures nothing slips through.

 

A Better Standard for Security

Strong authentication should be treated like any other standard in healthcare. It should be consistent, expected, and enforced. It should not be optional, partial or dependent on user behaviour.

When implemented properly, modern authentication:
  • Reduces real-world risk
  • Improves visibility
  • Supports compliance obligations
  • Fits into daily workflows without friction

And most importantly, it protects the systems and information your organisation relies on every day.

 
View full post