Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,559 questions
Best one is the service-side controls, but only Exchange supports that. In addition to the admin center controls, you can also use Auth policies to a similar end: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online
Other methods are still valid, but they only act after credentials have been validated. On the other hand, authentication policies as detailed above act on a pre-auth layer, and block brute force attempts before they even reach Azure AD.
Services such as SPO also have some controls to toggle basic auth, but they are "all or nothing" type of switch. So you might as well stick to CA policies.
Ok so is there any real value to using CA policies to block basic auth if you have taken all of the other measures? i.e blocking from the service side and/or the Exchange pieces?
Yes, flexibility. With CA you can only target specific users, or services. Or add exclusions as needed, for example for any multi-functional devices that might not work with Modern auth.
that makes sense. thanks for your time!
Sign in to comment