where "Block POP3" = Set-AuthenticationPolicy "Block POP3" -AllowBasicAuthPop $false
A Conditional Access rule to block "Other Clients"
My understanding is Set-Mailbox $mailbox -AuthenticationPolicy "Block POP3" is superior to the others, as it blocks/drops the request pre-authentication, while the others occur post-authentication, which could lead to account lockout.
However, can someone who knows, take the time to describe with detail the authentication flow if one or all of these controls are in place, and when they are evaluated?
Right.. authentication vs authorisation, I get it - thank you!
Follow on, so when is conditional access evaluated? After password evaluation first factor and just prior to the access token being passed back to the client?
Something like this?
Authentication - Client sends username/password to EO - EO evaluates AuthenticationPolicy - EO passes request to AzureAD - AzureAD evaluates username/password --- user is now authenticated --- - Event is written to SignInLogs Authorisation - AzureAD evaluates Conditional Access policies - AzureAD passes request back to EO - EO evaluates CAS Plan and Rules - EO passes access token to client
Another follow on question. Given the new AuthenticationPolicy is evaluated pre auth is there any need to also block POP/IMAP etc in a CAS mailbox plan/rule?