Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
It’s been a few ...
Updated Sep 01, 2022
Version 7.0
Blog Post
t-rev I dont believe that you can secure the endpoints with CA policies in the way that you mention. By using Basic Auth, the O365 services that are currently in place will have to allow certain protocols that are susceptible to brute force/spray attacks. By disabling it for all users, they can then close these potential threat vectors.
I have not tested a CA policy to allow from a trusted network specifically, however guidance from the Zero Trust architecture recommendations does not recommend using trusted networks as a means of 'safe' signal. These are hard to manage, and difficult to accommodate remote workers and generally not safe (but better than nothing).
Petri-X If only they offered an easy way to identify the impact to your actual users. That would be a godsend. I guess that is what this article is for; to assist in getting the info using the tools they provide. They are also improving the tooling to get you the right reports. I remember when this wasnt even an option with the reporting and you had to extract the data via API REST call. far more painful.