Conditional Access - legacy authentication

lycksen 1

If I in conditional access block legacy authentications. Which email clients will then be blocked ?

Just wondering if fx the native IOS mail app - will that one be blocked accessing exchange in legacy authenticaton is blocked? - So overall I looking for some information where can see which email clients apps is using legacy authentication

1 answer

Domooney-MSFT 2,576 Reputation points Microsoft Employee

2021-02-23T11:14:36.243+00:00

Hi @lycksen we have a list here of legacy authentication clients - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication#legacy-authentication-protocols

the native iOS mail app supports modern authentication from iOS 11 onwards - https://support.apple.com/en-ie/guide/deployment-reference-ios/apd46055de62/web

As a starting point you could create a conditional access policy to block legacy authentication, and place it in report only mode. You can then monitor which users would be blocked.

You can also filter your Azure AD sign-in logs to see users who are currently using legacy authentication protocols - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication#identify-legacy-authentication-use
Please sign in to rate this answer.
lycksen 1 Reputation point

2021-02-23T11:25:20.707+00:00

Thanks

Today I actually have one policy that blocks legacy authentication - and actually in other policies have settings that allow legacy authentication. Will the block not always be the one that weight more ?

Domooney-MSFT 2,576 Reputation points Microsoft Employee

2021-02-23T11:32:21.307+00:00

You're welcome! If you have a policy that blocks legacy auth then it should always apply, in conditional access the policies don't carry any weight or order of preference like a Group Policy Obejct, they should all apply.

lycksen 1 Reputation point

2021-02-23T13:12:05.223+00:00

I just checked devices that is connected from legacy authenticaton. Like on one device that is enrolled and is standing as client mobile safari ? - so to connect from safari through webmail will be blocked with legacy auth enabled ?

Just would like to see if it was possible to see which app has been used to connect, instead of it just is rapported as legacy auth client

Domooney-MSFT 2,576 Reputation points Microsoft Employee

2021-02-26T13:52:40.787+00:00

It might be difficult to identify the client app being used in this case, as legacy clients by nature do not send as much information in their sign-in request as modern clients. You might only see the protocol being used, and the resource the user is trying to access. You can see the OS in use if you click on the sign-in and then look at "basic" information. You can check the "User agent" details.

If the user is using the Safari browser on an iOS device that should not be using legacy authentication. Safari supports modern authentication. It is more likely in this case that the user is using the native mail app on iOS and has configured it for ActiveSync and not Modern authentication.
Sign in to comment

Share via

Conditional Access - legacy authentication

1 answer