While i was working with a customer and this was one of their needs, i decided to blog on how i deployed.
At first, what’s legacy authentication and why i need to block these protocols?
Legacy authentication is a term that refers to an authentication request made by:
Older Office clients that do not use modern authentication (for example, Office 2010 client)
Any client that uses legacy mail protocols such as IMAP/SMTP/POP3.
Today, the majority of all compromising sign-in attempts come from legacy authentication. Legacy authentication does not support multi-factor authentication (MFA). Even if you have an MFA policy enabled on your directory, a bad actor can authenticate using a legacy protocol and bypass MFA. The best way to protect your account from malicious authentication requests made by legacy protocols is to block these attempts altogether.
How to block legacy authentication?
By using a Conditional Access policy we can block all sign-ins utilizing legacy authentication protocols.
Now i will show you the steps that I did to successfully implement a Conditional Access policy blocking legacy authentication with no impact on users or services.
Go to Azure AD Portal and clicked Security -> Conditional Access, then clicked + New policy -> Create new policy from template. I then chose the following options:
Select a template category: Identities
Select template: Block legacy authentication
Policy state: Off
Once the Conditional Access policy was deployed I opened it and verified the configuration. I confirmed that the policy will only impact legacy authentication for users in scope, and block matching sign-ins once the policy is enabled:
Assignments: All users included and specific users excluded (my admin account is excluded)
Cloud apps or actions: All cloud apps
Conditions: 1 condition selected (Client apps: Exchange ActiveSync clients, Other Clients)
Grant: Block access
Since I was sure that everything is correct i just enabled the policy. In order to test it i was opened the sign-in blade and i checked the logs.
I hope to find this useful!
Thanks, Greg!