Preview Azure AD Conditional Access to block legacy authentication

Do you know how many cloud applications are being accessed by your employees?
Are your employees sharing valuable information via emails and attachments?
Is Your Help Desk Inundated with Password Reset Requests Over and Over?
Get Started With A FREE Trial Get Started With A FREE Trial Request a Consultation Request a Consultation Download FREE MOBILE DEVICE SECURITY REPORT

Last week, Microsoft announced the availability to the public the preview of Azure AD Conditional Access support for blocking legacy authentication. You used to need to use ADFS to do this, however, by using conditional access to do this it is SO much simpler/better. Now you to can manage legacy authentication blocking as one part of your overall conditional access strategy, all from right in the Azure AD admin console. And for many of you, this will also give you the option to move away from ADFS to an cloud centered authentication model enabled by pass-through authentication.

To begin, what is legacy authentication? Legacy authentication is a term that refers to authentication protocols used by apps like:

  • Older Office clients that do not use modern authentication (e.g., Office 2010 client)
  • Clients that use mail protocols such as IMAP/SMTP/POP

Attackers are partial to these protocols – more succinctly, nearly 100% of password spray attacks use legacy authentication protocols! Why? Because legacy authentication protocols don’t support interactive sign-in, which is required for additional security challenges like multi-factor authentication and device authentication.

Before we get into the details, I want to be super duper clear – I strongly recommend you block use of legacy authentication protocols in your tenant. There are VERY few things you can do which are as easy to deploy and can improve your security posture as much.

It should be one of the top items on your To-Do list for next week!

Get started with Azure AD Conditional Access!

Do you want to try this new feature out? You’ll find it under the “Client apps” condition in Azure AD Conditional access.

To create a test policy:

  1. In the Azure AD portal, go to “Conditional access” and create a new policy.
  2. Select the users for your pilot group. As with all conditional access policies, we recommend starting with a small set of users to be sure you understand the support and end user experience impact.
  3. Select “All cloud apps”.
  4. Under the “Client apps” conditions, you should now see the “Other clients” checkbox. The “Other clients” checkbox includes older Office clients that do not support modern authentication, as well as clients that use mail protocols like POP, IMAP, SMTP, etc.

    Azure AD Conditional Access

  5. Select the “Block access” control.
  6. Save the policy.

To test the policy, Microsoft recommends installing an older version of the Office client, like Office 2010, and signing in with a user from the pilot group.

To test with basic authentication clients that use SMTP, POP, IMAP, etc., first run this PowerShell commandlet for the test user and then sign-in with the test user after an hour. The PowerShell commandlet ensures that the policy will take effect for the user within an hour of when it’s run. Typically, it takes up to 24 hours for the policy to take affect for basic authentication clients.

Reminder if you haven’t yet,  to review the FAQ section to learn more about this new feature. And if you’re not familiar with conditional access yet, go ahead and read through Microsoft’s Azure AD conditional access documentation.

For more information on Azure AD or any EMS + Security feature please visit or email

(Visited 147 times, 1 visits today)