With everything now moving to Modern Authentication and Microsoft Authentication Library (MSAL), previously Active Directory Authentication Library (ADAL) we should know how to disable those old authentication methods. Today, we’re actually going to cover the step by step methods to block legacy authentication using conditional access policies. This will block legacy authentication for Office 365 as well as Azure so it’s great to get ahead of the game.
What is Legacy Authentication And Why We Should Block It
I suppose before we go into detail on how to block it, we should probably address what it is. Legacy authentication is more or less self explanatory. By that I mean, it includes authentication methods that are superseded by todays modern authentication. In short, legacy authentication are authentication methods typically used by mail protocols such as IMAP, SMTP and POP3. Microsoft Office 2010 is an example client that uses legacy authentication.
The biggest take away here is that legacy authentication was highly active during a time where multi-factor authentication wasn’t really a thing. We’ve come a long way as far as security and auth methods go, but should still close those gaps because it can lead to open vulnerabilities in your environment.
To summarize, legacy authentication does not enforce multi-factor authentication (MFA) so it gives attackers a preferred attack vector to exploit. This is biggest reason why we want to block legacy authentication. With that said, we can now get into the modern (and preferred) methods to blocking legacy authentication using conditional access policies.
Use Conditional Access To Block Legacy Authentication In Office 365
Now that we understand the why, let’s get into the how portion of this article. We’re going to assume you have permissions to create conditional access policies.
- In Azure, navigate to Azure Active Directory -> Security -> Conditional Access -> Create a New Policy
- Direct Link: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
- We’ll name this policy, Common Policy – Block Legacy Authentication
- Under Users and groups:
- Under Include: We’ll select all users
- Under Exclude: We’ll want to exclude our exclusions group
- Cloud apps or actions:
- Under Include: We’ll select all cloud apps
- Under Exclude: We’ll want to leave this blank
- Conditions -> Client apps:
- Select “Yes” to configure policy
- Unselect Browser and Mobile apps and desktop clients
- Leave Exchange ActiveSync clients checked
- Leave Other clients checked
- Select Block Access
For the final step, set the policy to Report-only so you can have some insights before enabling the policy. This will give you a heads up as to who is still using legacy authentication and at least give them some kind of notice to stop. Otherwise, if you’re brave, turn it off and apply the scream test which is also just as effective as finding out who is still using it.
That’s it. Now we know how to block legacy authentication using conditional access policies in Azure Active Directory. For more posts on conditional access or Azure AD in general, be sure to check out our gallery of Azure Active Directory.