I started this blog post series with “How to get started with Conditional Access” and will continue with some use cases. This use cases can be combined or be implemented stand alone – it all depends what you are your organisation want to accomplish.
In this use case we just add a extra layer of security on top of Azure Active Directory – by disabling legacy authentication, Service Now and other apps that provided a web access through Azure Active directory. This is a recommendation I have when I do EMS projects at customers – and it is a easy way to stop the bad guys from accessing your corporate data. After blog post #2 in the serie about enable MFA you already have modern authentication enabled on your tenant.
By disabling legacy authentication you block access from unsecure protocols – and you need this to be secure in the future. When enabling this you will remove all the loopholes that are in Conditional Access – where you can “cheat” the application to fall back to legacy authentication if modern authentication is failing. But design it will block:
- Older Office clients that do not use modern authentication (e.g., Office 2010 client)
- Clients that use mail protocols such as IMAP/SMTP/POP
The layout is to disable legacy authentication when:
- Accessing all services integrated with Azure AD
- From Mobile apps and desktop clients
- Inside or Outside of the corporate network
- On any devices
Note: Disable legacy auth for Office 365 requires modern authentication enabled
Start the Azure Active Directory admin center
- Click Azure Active Directory
- Click Conditional Access
- Click New policy
- Enter a name that makes sense to you : “CA – Block Legacy authentication”
- Select Assignments
- Select All users
It is recommended to do this at a test group first, and go into production in faces
- Select Cloud apps
- Select Selected apps
- Select All cloud apps
Important : Don’t lock yourself out! Please read and understand what you are doing so you don’t lock you out of the Azure Management Portal
- Select Cloud apps
- Select Exclude – Selected apps
- Select Microsoft Intune Enrollment
Note: When you are trying to create a Conditional Access rules that block you need to have a exclusion on users, apps or conditions
- Select Conditions
- Select Device Platform
- Click Configure – Yes
- Select All platforms (Including unsupported)
If you for some reason what different rules on different OS then here is the place to select it
Note: If you have application that do not understand modern authentication like some users that are using Office 2010 on the inside network you need to find a solution if it is not possible to upgrade the application, and example is to use the location to allow legacy authentication on the inside of the network.
- Select Conditions
- Select Client Apps
- Select Configure – Yes
- Select Mobile apps and desktop clients – other clients
- Select Access controls
- Select “Block Access”
Now the Conditional Access rule are created and will first take effect when you sets the Enable policy to On
Now for the end user experience:
If the end user is using a application that understand modern authentication there is no change for the end user, but it the end user is using a application the do not understand modern authentication like Office 2010 some mail clients on Android and others.
Here is the example where the end user is trying to use the mail client on a Samsung Android phone with IMAP and getting blocked:
When we look at the sign in logs from Azure AD and see how many attempt that there are with legacy authentication
With in the Sign-ins logs we can see all the failed login attempts with legacy authentication in this case POP.
Note: When legacy authentication is not blocked there are approved application that can fallback to legacy authentication even if you have a Conditional Access rule that requires MFA.
You can also use PowerBi to investigate logins you don’t know about.
Start Microsoft PowerBi : https://powerbi.microsoft.com
In almost every tenant I have started using Conditional Access on – there has been sign-ins both failed but also success from places and applications the companies are using.
It is recommended to block all legacy authentication if it is possible. For some reasons there can be application that still are using legacy authentication – then you can limit from where, from what devices or to what application legacy authentication is allowed instead of allowing legacy authentication by default.
For some Office 365 service it is possible to block for legacy authentication on a service (Sharepoint, Onedrive, etc) level without Conditional Access so if you do not have the Azure AD P1 license please take a look at this.