@Oscar, Thanks for posting in Q&A. Based on my understanding, due to the increased risk associated with legacy authentication protocols, Microsoft recommends that organizations block authentication requests using these protocols and require modern authentication. So the most secure method is to block legacy authentication. But if there's still legacy authentication like Exchange ActiveSync existing in your organization, to secure it, you can configure require app protection policy for the legacy authentication.
In fact, MAM allows you to manage and protect your organization's data within an application. Intune app protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. These policies allow you to control how data is accessed and shared by apps on mobile devices. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. A managed app in Intune is a protected app that has Intune app protection policies applied to it and is managed by Intune. Here is a link with more detail for your reference.
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
For conditional access policy, this is used to control the access of your cloud resource. If you set "Require app protection policy", then only the managed app with app protection policy can access the cloud resource you set in conditional access policy. Also there's other option you can set like "Require device to be marked as compliant" which allow compliant device to access the cloud resource. You can set it according to your requirement.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.