Forum Discussion

niazstinu's avatar
niazstinu
Brass Contributor
Nov 16, 2020

Conditional Access and Email Access, did I do it correct

Hi all

I configured Conditional Access for some of my users using the following configuration.

Users and Groups: Users1,User2, User3

All Cloud Apps

Conditions: Any Device

                      Client Apps: Browser, Mobile Apps, Legacy: Exchange ActiveSync, Other Clients

Grant: Require Multi-Factor Authentication

 

one of the users configured Gmail Client to connect to Exchange, and even the policy is applied Gmail client still able to connect without MFA requirement, untill I block the device from Exchange Web interface.

Did I miss any thing in the configuration.?!

  • niazstinu Hi!

    First of all, in your policy you are including legacy protocols. Those protocols should be blocked from the end-users due to security reasons. Those protocols will go end-of life within the Office 365 platform during 2021.

    The gmail app is most likely using an legacy protocol, and not Modern Authentication and therefore the application won't be able to use MFA.
    I would suggest to move to Outlook for Android / Outlook for iOS and I would create the following policies:

     

    Policy Name: Block Access - Legacy Authentication

    User and Groups: 

    Include: anysecuritygroup/enduser
    Exclude: anybreaktheglassaccount@xx.com

      

    Cloud apps: 
    Include: Office 365 

    Condition

    Location:  
    Include: Any Location 
    Client apps 
    Include: Other clients 
    Include: Exchange ActiveSync clients

    Access Controls: 
    Block Access 

     

    -------
     

    Policy Name: Grant Access - Mobile and Desktop Apps who use Modern Authentication (Require MFA) 
     

    User and Groups: 
    Include: anysecuritygroup/enduser
    Exclude: anybreaktheglassaccount@xx.com

      

    Cloud apps: 
    Include: Office 365 

    Conditions: 
     
    Locations: 
    Include: Any Location 
     

    Client Apps:  
    Include: Mobile apps and desktop clients 
     

    Access Controls: 
    Allow access through requiring MFA Challenge 



     

Resources