Conditional Access and Email Access, did I do it correct

Contributor

Hi all

I configured Conditional Access for some of my users using the following configuration.

Users and Groups: Users1,User2, User3

All Cloud Apps

Conditions: Any Device

                      Client Apps: Browser, Mobile Apps, Legacy: Exchange ActiveSync, Other Clients

Grant: Require Multi-Factor Authentication

 

one of the users configured Gmail Client to connect to Exchange, and even the policy is applied Gmail client still able to connect without MFA requirement, untill I block the device from Exchange Web interface.

Did I miss any thing in the configuration.?!

2 Replies

@niazstinu Hi!

First of all, in your policy you are including legacy protocols. Those protocols should be blocked from the end-users due to security reasons. Those protocols will go end-of life within the Office 365 platform during 2021.

The gmail app is most likely using an legacy protocol, and not Modern Authentication and therefore the application won't be able to use MFA.
I would suggest to move to Outlook for Android / Outlook for iOS and I would create the following policies:

 

Policy Name: Block Access - Legacy Authentication

User and Groups: 

Include: anysecuritygroup/enduser
Exclude: anybreaktheglassaccount@xx.com

  

Cloud apps: 
Include: Office 365 

Condition

Location:  
Include: Any Location 
Client apps 
Include: Other clients 
Include: Exchange ActiveSync clients

Access Controls: 
Block Access 

 

-------
 

Policy Name: Grant Access - Mobile and Desktop Apps who use Modern Authentication (Require MFA) 
 

User and Groups: 
Include: anysecuritygroup/enduser
Exclude: anybreaktheglassaccount@xx.com

  

Cloud apps: 
Include: Office 365 

Conditions: 
 
Locations: 
Include: Any Location 
 

Client Apps:  
Include: Mobile apps and desktop clients 
 

Access Controls: 
Allow access through requiring MFA Challenge 



 

@Pontus Själander 

Thanks , will apply it and see what will happese