Risks associated with allowing access for “Apps that don't use modern authentication” under Access control settings in SharePoint Admin Center

Jermaine Mallard 41 Reputation points
2022-11-16T20:03:39.783+00:00

Are there any known risks associated with allowing access for “Apps that don't use modern authentication” under Access control settings in SharePoint Admin Center?

Are there also any links available to Microsoft documentation that provides more details about this “Apps that don't use modern authentication” setting?

Our team was unable to open SharePoint Online sites via SharePoint Designer 2013 even after performing the steps to "Enable Modern authentication for Office 2013 on Windows devices" until after we changed the value of this setting from "Block access" to "Allow access".
https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/enable-modern-authentication

Our assigned Microsoft support person also did not mention this access control setting to us after opening a support case with them to address our connection issue from SharePoint Designer 2013 to our SharePoint Online sites.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,284 questions
0 comments No comments
{count} votes

Accepted answer
  1. Xuyan Ding - MSFT 7,561 Reputation points
    2022-11-17T08:19:39.967+00:00

    Hi anonymous user,

    App-based Conditional Access with app protection policies rely on applications using modern authentication. Most current Office mobile and desktop applications use modern authentication. However, there are third-party apps and versions of Office prior to Office 2013 that use other authentication methods, like basic authentication and forms-based authentication, and can't enforce device-based restrictions. This means they allow users to bypass conditional access policies that you configure in Azure. During authentication, legacy authentication clients don't support sending MFA, device compliance, or join state information to Azure AD. Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled.

    You can read more about legacy authentication and unmanaged devices here:
    Block legacy authentication with Azure AD with Conditional Access
    SharePoint and OneDrive unmanaged device access controls for administrators


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

0 additional answers

Sort by: Most helpful