![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 79%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
11,707 questions
Hi anonymous user,
App-based Conditional Access with app protection policies rely on applications using modern authentication. Most current Office mobile and desktop applications use modern authentication. However, there are third-party apps and versions of Office prior to Office 2013 that use other authentication methods, like basic authentication and forms-based authentication, and can't enforce device-based restrictions. This means they allow users to bypass conditional access policies that you configure in Azure. During authentication, legacy authentication clients don't support sending MFA, device compliance, or join state information to Azure AD. Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled.
You can read more about legacy authentication and unmanaged devices here:
Block legacy authentication with Azure AD with Conditional Access
SharePoint and OneDrive unmanaged device access controls for administrators
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.