Account/Authentication - Azure Active Directory - Enable Conditional Access Policies to Block Legacy Authentication
Summary
Use Conditional Access to block legacy authentication protocols in Office 365.
Reason
Since legacy authentication don't support MFA, they are often used by attackers for malicious purposes. Hence, if we block legacy authentication, it will make it very difficult for attackers to gain access.
What If?
This setting, if enabled, will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that supports modern authentication.
How to?
To setup a conditional access policy to block legacy authentication, use the following steps:
- Login to https://admin.microsoft.com as a Global Administrator.
- Go to Admin centers and click on Azure Active Directory.
- Select Azure Active Directory and then Security.
- Select Conditional Access.
- Now, create a new policy by choosing New Policy.
- Set the below conditions within the policy-
- Select Conditions then Client apps enable the settings for and Exchange ActiveSync clients and other clients.
- Under Access controls set the Grant section to Block access.
- Under Assignments enable All users.
- Under Assignments and Users and groups set the Exclude to be at least one low risk account or directory role. This is required as the best practice.
To verify that legacy authentication is blocked, use the Microsoft 365 Admin Center:
- Login to https://admin.microsoft.com as a Global Administrator.
- Go to Admin centers and click on Azure Active Directory.
- Select Azure Active Directory and then Security.
- Select Conditional Access.
- Now, verify that either the policy Baseline policy: Block legacy authentication is set to On or find another with the following settings enabled-
- Select Conditions then Client apps enable the settings for and Exchange ActiveSync clients and other clients.
- Under Access controls set the Grant section to Block access.
- Under Assignments enable All users.
- Under Assignments and Users and groups set the Exclude to be at least one low risk account or directory role. This is required as the best practice.
Comments
Post a Comment