Conditional Access Policy Allow Legacy Authentication

These protocols specify where users use clients that still depend on legacy authentication. For users who do not appear in these protocols and have been confirmed not to use legacy authentication, implement a conditional access policy for these users only. If you`re using Microsoft Intune, you might be able to change the authentication type by using the email profile that you transmit or deploy to your devices. If you`re using iOS devices (iPhones and iPads), see Adding email settings for iOS and iPadOS devices in Microsoft Intune. Modern authentication for Skype for Business Online can only be enabled using PowerShell. To give your users easy access to your cloud applications, Azure Active Directory (Azure AD) supports a variety of authentication protocols, including legacy authentication. However, legacy authentication does not support things like multi-factor authentication (MFA). Multi-factor authentication is a common requirement to improve the security posture in organizations. The Global Administrator, Security Administrator, Security Reader, Global Reader, and Report Reader roles can access logon logs.

For multi-factor authentication to be effective, you must also block legacy authentication. This is because legacy authentication protocols such as POP, SMTP, IMAP, and MAPI cannot enforce multi-factor authentication, making them preferred entry points for attackers attacking your organization. So, if we can`t interrupt the authentication workflow of these protocols to enforce a conditional access policy, how does the “Block legacy authentication from legacy authentication” conditional access policy work? Before you can block legacy authentication in your directory, you must first know if your users have clients that use legacy authentication. Below is useful information for identifying and selecting where clients use legacy authentication. If you want to display only legacy authentication requests in your Azure AD connection logs, you can use the following custodian query: Conditional access is applied after the user logs in. This means that legacy authentication is not blocked until a correct password is received. A brute force attack that uses legacy protocols (POP, IMAP, ..) is not blocked by conditional access, and therefore your on-premises or Azure AD account lockout policies apply. This can lead to unwanted blocking accounts, even if smart locks are enabled. The only way to resolve this issue is to block legacy authentication in Exchange Online. Legacy authentication refers to Basic authentication, a standard method of collecting user name and password information.

Basic authentication is typically used by messaging protocols such as IMAP, SMTP, and POP3. Basic authentication requires only one authentication method (user password) and is only used by older email clients that do not support modern authentication protocols. The error message is a link to the AAD documentation docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-best-practices#what-you-should-avoid-doing Unfortunately, some protocols do not have the option of being “interrupted” during their authentication workflow for a process such as MFA – they require a yes answer or they fail. They also don`t use tokens or tickets to cache a successful authentication attempt, so they send the user`s credentials every time they try to log in. This is observed with protocols such as SMTP, POP, and IMAP, and is commonly referred to as “legacy” or “basic” authentication. In summary, for multi-factor authentication, you must also block legacy authentication for multi-factor authentication to be effective. Now let`s see how Microsoft reacts to legacy authentication and how you can identify and block it in your own environment before Microsoft does it for you! First, you need to understand the difference between authenticating with older and modern protocols. The biggest takeaway here is that legacy authentication was very active at a time when multi-factor authentication wasn`t really a thing. We`ve come a long way in terms of security and authentication methods, but we should still fill in those gaps, as this can lead to open vulnerabilities in your environment.

In addition to Azure AD connection logs, Microsoft also provides additional tools to help you identify the use of legacy authentication in your tenant. Given the high usage of ActiveSync that is still seen in client environments, I recommend focusing on this first, as blocking could affect many users and it`s relatively easy for mobile devices to switch from ActiveSync to modern authentication. Apple has supported modern authentication in its native messaging app since iOS 11 and should have automatically switched users to modern authentication since iOS 14. However, I`ve seen instances where users had to sign out of their corporate email account and sign in again before switching to modern authentication. The situation is not as clear for the Android operating system – given the large differences in devices, operating systems and native messaging apps. Especially for Android (but also for iOS) I recommend using the official Microsoft Outlook mobile app. Not only does this fully support modern authentication, but application protection policies can also be used to securely encrypt, protect, and delete corporate data stored in the Outlook app. This does not affect the personal data stored on the device and does not require the device to be fully registered with your mobile device management (MDM) solution. I guess before we get into the details of how to block it, we should probably look at what it is. Legacy authentication is more or less self-explanatory. By this I mean that it includes authentication methods that are being replaced by today`s modern authentication. In short, legacy authentication is an authentication method typically used by email protocols such as IMAP, SMTP, and POP3.

Microsoft Office 2010 is an example of a client that uses legacy authentication. If possible, we should also try to block legacy authentication at the service level. While legacy authentication is still widely (and legitimately) used in many organizations, it provides hackers with a major security flaw and provides them with “backdoor” access to your company`s data. The reason for this is simple: unlike modern authentication protocols, legacy authentication methods do not include or adhere to multi-factor authentication (MFA). Here are some pretty clear facts from Microsoft about legacy authentication: The policy appears in the Conditional Access Policies list. When introducing legacy authentication blocking protection, we recommend a step-by-step approach instead of disabling it for all users at the same time. Customers can choose to disable protocol-based Basic authentication first by applying Exchange Online authentication policies, and then (optionally) block legacy authentication through conditional access policies when they are ready. Howdy people, Microsoft Build 2020 has allowed us to get in deep contact with our developer community, and we continue to improve the way developers have identity features in . If your organization is not willing to block legacy authentication within your organization, you should ensure that connections with legacy authentication do not bypass policies that require granting controls, such as commitment to multi-factor authentication or compatible/hybrid devices connected to Azure AD. During authentication, legacy authentication clients do not support sending MFA, device compatibility, or link state information to Azure AD. Therefore, apply policies with Grant controls to all client applications to block legacy authentication-based connections that Grant controls cannot populate. With the “Client Application General Availability” condition in August 2020, the newly created conditional access policies will apply by default to all client applications.

There you go. We now know how to block legacy authentication using conditional access policies in Azure Active Directory. For more articles about conditional access or Azure AD in general, check out our Azure Active Directory gallery. This section describes how to configure a conditional access policy to block legacy authentication. There are several ways to block legacy authentication in Office 365. If you have enabled security standards (manually or your tenant has been created since October 2019), it will already be blocked for you at the tenant level.