Forum Discussion
Conditional Access and Email Access, did I do it correct
Hi all
I configured Conditional Access for some of my users using the following configuration.
Users and Groups: Users1,User2, User3
All Cloud Apps
Conditions: Any Device
Client Apps: Browser, Mobile Apps, Legacy: Exchange ActiveSync, Other Clients
Grant: Require Multi-Factor Authentication
one of the users configured Gmail Client to connect to Exchange, and even the policy is applied Gmail client still able to connect without MFA requirement, untill I block the device from Exchange Web interface.
Did I miss any thing in the configuration.?!
- Pontus SjälanderIron Contributor
niazstinu Hi!
First of all, in your policy you are including legacy protocols. Those protocols should be blocked from the end-users due to security reasons. Those protocols will go end-of life within the Office 365 platform during 2021.
The gmail app is most likely using an legacy protocol, and not Modern Authentication and therefore the application won't be able to use MFA.
I would suggest to move to Outlook for Android / Outlook for iOS and I would create the following policies:Policy Name: Block Access - Legacy Authentication
User and Groups:
Include: anysecuritygroup/enduser
Exclude: anybreaktheglassaccount@xx.comCloud apps:
Include: Office 365Condition
Location:
Include: Any Location
Client apps:
Include: Other clients
Include: Exchange ActiveSync clientsAccess Controls:
Block Access-------
Policy Name: Grant Access - Mobile and Desktop Apps who use Modern Authentication (Require MFA)
User and Groups:
Include: anysecuritygroup/enduser
Exclude: anybreaktheglassaccount@xx.comCloud apps:
Include: Office 365Conditions:
Locations:
Include: Any Location
Client Apps:
Include: Mobile apps and desktop clients
Access Controls:
Allow access through requiring MFA Challenge
- niazstinuBrass Contributor