I started this blog post series with “How to get started with Conditional Access” and will continue with some use cases. This use cases can be combined or be implemented stand alone – it all depends what you are your organisation want to accomplish.

In this use case we just add a extra layer of security on top of Azure Active Directory  – by disabling legacy authentication, Service Now and other apps that provided a web access through Azure Active directory. This is a recommendation I have when I do EMS projects at customers – and it is a easy way to stop the bad guys from accessing your corporate data. After blog post #2 in the serie about enable MFA you already have modern authentication enabled on your tenant.

By disabling legacy authentication you block access from unsecure protocols – and you need this to be secure in the future. When enabling this you will remove all  the loopholes that are in Conditional Access – where you can “cheat” the application to fall back to legacy authentication if modern authentication is failing. But design it will block:

  • Older Office clients that do not use modern authentication (e.g., Office 2010 client)
  • Clients that use mail protocols such as IMAP/SMTP/POP

The layout is to disable legacy authentication when:

  • Accessing all services integrated with Azure AD
  • From Mobile apps and desktop clients
  • Inside or Outside of the corporate network
  • On any devices

Note: Disable legacy auth for Office 365 requires modern authentication enabled


Start the Azure Active Directory admin center

  1. Click Azure Active Directory
  2. Click Conditional Access

CA - MFA on Exchange Online - 01

  1. Click New policy

CA - MFA on Exchange Online - 02

  1. Enter a name that makes sense to you : “CA – Block Legacy authentication”
  2. Select Assignments
  3. Select All users

It is recommended to do this at a test group first, and go into production in faces

Disable legacy authentication - 01

  1. Select Cloud apps
  2. Select Selected apps
  3. Select All cloud apps

Important : Don’t lock yourself out! Please read and understand what you are doing so you don’t lock you out of the Azure Management Portal

Disable legacy authentication - 02

  1. Select Cloud apps
  2. Select Exclude – Selected apps
  3. Select Microsoft Intune Enrollment

Note: When you are trying to create a Conditional Access rules that block you need to have a exclusion on users, apps or conditions

Disable legacy authentication - 02a

  1. Select Conditions
  2. Select Device Platform
  3. Click Configure – Yes
  4. Select All platforms (Including unsupported)

If you for some reason what different rules on different OS then here is the place to select it

Disable legacy authentication - 03

Note: If you have application that do not understand modern authentication like some users that are using Office 2010 on the inside network you need to find a solution if it is not possible to upgrade the application, and example is to use the location to allow legacy authentication on the inside of the network.

  1. Select Conditions
  2. Select Client Apps
  3. Select Configure – Yes
  4. Select Mobile apps and desktop clients – other clients

Disable legacy authentication - 04

  1. Select Access controls
  2. Select “Block Access”

Disable legacy authentication - 05

Now the Conditional Access rule are created and will first take effect when you sets the Enable policy to On


Now for the end user experience:

If the end user is using a application that understand modern authentication there is no change for the end user, but it the end user is using a application the do not understand modern authentication like Office 2010 some mail clients on Android and others.

Here is the example where the end user is trying to use the mail client on a Samsung Android phone with IMAP and getting blocked:

Block android 02.jpg

 


When we look at the sign in logs from Azure AD and see how many attempt that there are with legacy authentication

Azuread log

With in the Sign-ins logs we can see all the failed login attempts with legacy  authentication in this case POP.

Note: When legacy authentication is not blocked there are approved application that can fallback to legacy authentication even if you have a Conditional Access rule that requires MFA.

CA - Block Legacy Auth - repporting - 01.png

You can also use PowerBi to investigate logins you don’t know about.

Start Microsoft PowerBi : https://powerbi.microsoft.com

AzureAD PowerBi.png

In almost every tenant I have started using Conditional Access on – there has been sign-ins both failed but also success from places and applications the companies are using.


It is recommended to block all legacy authentication if it is possible. For some reasons there can be application that still are using legacy authentication – then you can limit from where, from what devices or to what application legacy authentication is allowed instead of allowing legacy authentication by default.
For some Office 365 service it is possible to block for legacy authentication on a service (Sharepoint, Onedrive, etc) level without Conditional Access so if you do not have the Azure AD P1 license please take a look at this.


Read more:

Azure AD Conditional Access support for blocking legacy auth is in Public Preview!
How to use the Azure Active Directory Power BI Content Pack