%3CLINGO-SUB%20id%3D%22lingo-sub-1582203%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1582203%22%20slang%3D%22en-US%22%3E%3CP%3ECool%2C%20now%20if%20you%20can%20get%20them%20to%20apply%20to%20client%20credentials%20flow%20as%20well...%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1582561%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1582561%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20stuff.%20It%20is%20also%20going%20to%20be%20great%20if%20we%20can%20manage%20Azure%20AD%20Powershell%20with%20conditional%26nbsp%3B%3C%2FP%3E%3CP%3Eaccess.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1583207%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1583207%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20work!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1583848%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1583848%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99m%20wondering%20how%20using%20Conditional%20Access%20to%20block%20legacy%20connections%20is%20supposed%20to%20impact%20Azure%20AD%20Identity%20Protection%20and%20the%20generic%20AAD%20Signins%20log.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EWe%20have%20CA%20rules%20in%20place%20to%20block%20Legacy%20Auth%20(e.g.%20IMAP)%20and%20yet%20we%20still%20see%20opportunistic%20IMAP%20login%20attempts%20that%20show%20up%20as%20%E2%80%9CRisky%E2%80%9D%20in%20Identity%20Protection.%20They%20also%20appear%20in%20the%20Azure%20Signins%20log%20and%20seem%20to%20fail%20because%20the%20accounts%20are%20locked%2C%20not%20because%20CA%20has%20stopped%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20problem%20that%20CA%20needs%20a%20successful%20authentication%20before%20it%20gets%20involved%3F%20Or%20does%20this%20sound%20crazy%20and%20I%E2%80%99ve%20probably%20done%20something%20wrong%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1584035%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584035%22%20slang%3D%22en-US%22%3E%3CP%3EWOW!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1584215%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584215%22%20slang%3D%22en-US%22%3E%3CP%3EUntil%20unauthorized%20access%20installs%20AAD%20Request%20Verification%20Service%20-PROD%20%7C%20Permissions%2C%20enterprise%20app.%26nbsp%3B%3CSPAN%3EYour%20application%20can%20acquire%20a%20token%20to%20call%20a%20Web%20API%20hosted%20in%20your%20App%20Service%20or%20Function%20app%20on%20behalf%20of%20itself%20(not%20on%20behalf%20of%20a%20user).%20This%20scenario%20is%20useful%20for%20non-interactive%20daemon%20applications%20that%20perform%20tasks%20without%20a%20logged%20in%20user.%20It%20uses%20the%20standard%20OAuth%202.0%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fazuread-dev%2Fv1-oauth2-client-creds-grant-flow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eclient%20credentials%3C%2FA%3E%3CSPAN%3E%20grant.%20%26nbsp%3B%20Be%20careful%20this%20is%20how%20the%20system%20is%20being%20compromised.%20%26nbsp%3B%20So%20be%20careful%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1584347%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1584347%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20still%20waiting%20and%20keeping%20tabs%20on%20legacy%20auth%20because%20of%20the%20Surface%20Hubs%20using%20legacy%20auth.%20Hope%20to%20have%20that%20resolved%20soon.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1585077%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1585077%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20that.%20It%20would%20be%20great%20if%20CA%20policies%20blocked%20after%20username%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1585750%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1585750%22%20slang%3D%22en-US%22%3E%3CP%3EPrefect%20%2Cthank%20you%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1585376%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1585376%22%20slang%3D%22en-US%22%3E%3CP%3ECool%2C%20that%20will%20save%20time!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1257371%22%20slang%3D%22en-US%22%3EConditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257371%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EWhen%20it%20comes%20to%20securing%20your%20organization%2C%20nothing%20is%20more%20effective%20than%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fauthentication%2Ftutorial-enable-azure-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eenabling%20multi-factor%20authentication%3C%2FA%3E%20(MFA)%20for%20your%20users.%20Whether%20using%20traditional%20methods%20like%20phone%20or%20token%20codes%2C%20or%20modern%20passwordless%20methods%20like%20the%20Authenticator%2C%20Windows%20Hello%2C%20or%20FIDO%2C%20MFA%20reduces%20the%20probability%20of%20account%20compromise%20by%20more%20than%2099.9%25.%20As%20part%20of%20adopting%20MFA%2C%20you%20should%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fconditional-access%2Fblock-legacy-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eblock%20legacy%20authentication%3C%2FA%3E%20endpoints%20that%20can%E2%80%99t%20support%20MFA.%20Legacy%20authentication%20protocols%20like%20POP%2C%20SMTP%2C%20IMAP%2C%20and%20MAPI%20can%E2%80%99t%20enforce%20MFA%2C%20making%20them%20preferred%20entry%20points%20for%20adversaries%20attacking%20your%20organization.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EOrganizations%20use%20Azure%20AD%20Conditional%20Access%20to%20enforce%20Zero-Trust%20Least-Privileged%20Access%20policies.%20Conditional%20Access%20allows%20you%20to%20determine%20access%20based%20on%20explicitly%20verified%20signals%20collected%20during%20the%20user%E2%80%99s%20sign-in%2C%20such%20as%20the%20client%20app%2C%20device%20health%2C%20session%20risk%2C%20or%20IP%20address.%20This%20is%20the%20best%20mechanism%20to%20block%20legacy%20authentication%2C%20but%20a%20recent%20analysis%20showed%20fewer%20than%2016%25%20of%20organizations%20with%20Conditional%20Access%20have%20policies%20that%20apply%20to%20sign-ins%20using%20legacy%20authentication%20protocols.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3ETo%20help%20organizations%20more%20easily%20achieve%20a%20secure%20Zero%20Trust%20posture%2C%20we%E2%80%99re%20announcing%202%20updates%20to%20help%20customers%20block%20legacy%20authentication%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENew%20Conditional%20Access%20policies%20will%20apply%20to%20legacy%20authentication%20clients%20by%20default.%3C%2FLI%3E%0A%3CLI%3EThe%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-conditions%23client-apps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eclient%20apps%20condition%3C%2FA%3E%2C%20including%20improvements%20to%20the%20client%20apps%20admin%20experience%2C%20is%20now%20in%20General%20Availability.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EDaniel%20Wood%2C%20a%20program%20manager%20on%20the%20Conditional%20Access%20team%2C%20has%20written%20a%20blog%20to%20explain%20how%20these%20changes%20can%20help%20secure%20your%20organization.%20As%20always%2C%20please%20share%20your%20feedback%20below%20or%20reach%20out%20to%26nbsp%3B%3CA%20href%3D%22mailto%3Aintelligentaccesspm%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eintelligentaccesspm%40microsoft.com%3C%2FA%3E%20with%20any%20questions.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%5B%23%24dp70%5D%40Alex_A_Simons)%3C%2FP%3E%0A%3CP%3ECorporate%20Vice%20President%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-------%3C%2FP%3E%0A%3CP%3EHi%20everyone%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%2C%20I%E2%80%99m%20excited%20to%20announce%20we%E2%80%99re%20taking%20a%20big%20step%20forward%20in%20helping%20to%20make%20organizations%20more%20secure%20by%20changing%20the%20default%20Conditional%20Access%20configuration%20for%20new%20policies%20to%20apply%20to%20all%20client%20apps%E2%80%94including%20legacy%20authentication%20clients.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99ve%20simplified%20the%20admin%20experience%20to%20make%20it%20easier%20for%20admins%20to%20create%20policies%20targeting%20modern%20authentication%20clients%20and%20legacy%20authentication%20clients.%20By%20default%2C%20all%20new%20Conditional%20Access%20policies%20will%20apply%20to%20all%20client%20app%20types%20when%20the%20client%20apps%20condition%20is%20not%20configured.%20Sign-ins%20from%20legacy%20authentication%20clients%20don%E2%80%99t%20support%20MFA%20and%20don%E2%80%99t%20pass%20device%20state%20information%20to%20Azure%20AD%2C%20so%20they%20will%20be%20blocked%20by%20Conditional%20Access%20grant%20controls%2C%20such%20as%20requiring%20MFA%20or%20compliant%20devices.%20If%20you%20have%20accounts%20which%20%3CEM%3Emust%3C%2FEM%3E%20use%20legacy%20authentication%2C%20you%20can%20grant%20them%20policy%20exceptions%20to%20keep%20them%20from%20being%20blocked.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20create%20a%20Conditional%20Access%20policy%20that%20only%20targets%20legacy%20authentication%20clients%2C%20switch%20the%20client%20apps%20Configure%20toggle%20to%20Yes%20and%20deselect%20Browser%20and%20Mobile%20apps%20and%20desktop%20clients%2C%20leaving%20Exchange%20ActiveSync%20and%20Other%20clients%20selected.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22clientapp1.jpg%22%20style%3D%22width%3A%20474px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211780i0DE7DEF5DB555F87%2Fimage-dimensions%2F474x690%3Fv%3D1.0%22%20width%3D%22474%22%20height%3D%22690%22%20title%3D%22clientapp1.jpg%22%20alt%3D%22clientapp1.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20for%20those%20of%20you%20who%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fgraph%2Fapi%2Fresources%2Fconditionalaccesspolicy%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emanage%20your%20policies%20using%20the%20Microsoft%20Graph%20API%3C%2FA%3E%2C%20we%E2%80%99ve%20simplified%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fgraph%2Fapi%2Fresources%2Fconditionalaccessconditionset%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eclient%20apps%20schema%3C%2FA%3E%20with%20the%20release%20of%20the%20new%20Conditional%20Access%20API%20in%20v1.0%20to%20match%20the%20new%20UX.%20Here%E2%80%99s%20an%20example%20of%20the%20new%20default%20configuration%20for%20the%20client%20apps%20condition%20when%20you%20create%20a%20new%20policy%20using%20the%20API.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22clieantapp4.png%22%20style%3D%22width%3A%20634px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211561i609A976EB8017CB6%2Fimage-dimensions%2F634x354%3Fv%3D1.0%22%20width%3D%22634%22%20height%3D%22354%22%20title%3D%22clieantapp4.png%22%20alt%3D%22clieantapp4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1295211122%22%20id%3D%22toc-hId--1295211122%22%20id%3D%22toc-hId--1295211122%22%20id%3D%22toc-hId--1295211122%22%20id%3D%22toc-hId--1295211122%22%20id%3D%22toc-hId--1295211122%22%20id%3D%22toc-hId--1295211122%22%3EWhat%20about%20my%20existing%20Conditional%20Access%20policies%3F%3C%2FH2%3E%0A%3CP%3EIf%20you%20have%20existing%20Conditional%20Access%20policies%2C%20they%20will%20continue%20to%20apply%20to%20the%20same%20client%20apps%20with%20no%20change.%20However%2C%20if%20you%20view%20an%20existing%20policy%2C%20we%E2%80%99ve%20made%20it%20easier%20to%20see%20which%20client%20apps%20are%20selected%20by%20removing%20the%20Configure%20Yes%2FNo%20toggle.%20Existing%20policies%20where%20the%20client%20apps%20condition%20was%20not%20configured%20now%20look%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22clientapp2.jpg%22%20style%3D%22width%3A%20472px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211781i4947FEED3BBF7A60%2Fimage-dimensions%2F472x767%3Fv%3D1.0%22%20width%3D%22472%22%20height%3D%22767%22%20title%3D%22clientapp2.jpg%22%20alt%3D%22clientapp2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1192301711%22%20id%3D%22toc-hId-1192301711%22%20id%3D%22toc-hId-1192301711%22%20id%3D%22toc-hId-1192301711%22%20id%3D%22toc-hId-1192301711%22%20id%3D%22toc-hId-1192301711%22%20id%3D%22toc-hId-1192301711%22%3EUnderstanding%20client%20app%20usage%20in%20your%20organization%3C%2FH2%3E%0A%3CP%3EBefore%20creating%20a%20new%20policy%2C%20it%E2%80%99s%20good%20to%20understand%20who%E2%80%99s%20using%20legacy%20authentication%20in%20your%20organization.%20To%20see%20which%20client%20apps%20and%20protocols%20are%20being%20used%20in%20your%20organization%20during%20sign-in%2C%20simply%20navigate%20to%20the%20Sign-ins%20page%20and%20filter%20the%20results%20by%20client%20app%20type.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22client%20app%203.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211782i821811CA5FEACA0B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22client%20app%203.jpg%22%20alt%3D%22client%20app%203.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1882863185%22%20id%3D%22toc-hId-1882863185%22%20id%3D%22toc-hId-1882863185%22%20id%3D%22toc-hId-1882863185%22%20id%3D%22toc-hId-1882863185%22%20id%3D%22toc-hId-1882863185%22%20id%3D%22toc-hId-1882863185%22%3EShare%20your%20feedback!%3C%2FH3%3E%0A%3CP%3EWe%20hope%20that%20these%20changes%20make%20it%20easier%20for%20admins%20to%20secure%20their%20organizations%20by%20blocking%20legacy%20authentication.%20As%20always%2C%20please%20share%20your%20feedback%20below%20or%20reach%20out%20to%3C%2FP%3E%0A%3CDIV%3E%3CA%20href%3D%22mailto%3Adaniel.wood%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edaniel.wood%40microsoft.com%3C%2FA%3E%20with%20any%20questions.%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EDaniel%20Wood%20(-ERR%3AREF-NOT-FOUND-%40Daniel_E_Wood)%3C%2FP%3E%0A%3CP%3EProgram%20Manager%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1257371%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20the%20GA%20of%20the%20client%20apps%20condition%20in%20Conditional%20Access%2C%20new%20policies%20will%20better%20protect%20organizations%20by%20applying%20to%20all%20client%20applications%20by%20default.%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teaser.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211707i0E82C86D8C76177C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Teaser.jpg%22%20alt%3D%22Teaser.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1257371%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1588054%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588054%22%20slang%3D%22en-US%22%3E%3CP%3E%22%3CSPAN%3EIf%20you%20have%20accounts%20which%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Emust%3C%2FEM%3E%3CSPAN%3E%26nbsp%3Buse%20legacy%20authentication%2C%20you%20can%20grant%20them%20policy%20exceptions%20to%20keep%20them%20from%20being%20blocked.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20should%20be%20noted%20that%20in%20June%20of%202021%20Microsoft%20will%20block%20legacy%20authentication%20-%20so%20don't%20get%20too%20comfortable%20with%20the%20exceptions.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1590628%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1590628%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20any%20new%20conditional%20access%20policy%20with%20selection%20%22All%20cloud%20Apps%22%20would%20support%20MFA%20for%20Legacy%20Authentications%20clients.%20%3F%20would%20they%20now%20be%20prompted%20for%20MFA%20using%20IMAP%2C%20POP%2C%20SMTP%3F%20If%20so%20is%20this%20applicable%20the%20current%20existing%20rules%20as%20well%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1591868%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1591868%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F570128%22%20target%3D%22_blank%22%3E%40mongie105%3C%2FA%3E%26nbsp%3BYou%20need%20to%20use%20Authentication%20policy%20via%20Exchange%20powreshell.%20Check%20out%20this%20article%20explains%20how%20to%20block%20legacy%20auth%20before%20CA%20rules%20come%20into%20play%20because%20they%20won%E2%80%99t%20if%20you%20still%20allow%20basic%20auth%20for%20POP%2C%20IMAP%20and%20other%20legacy%20protocols.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20effect%20older%20apps%20and%20clients%20%26nbsp%3Bthat%20use%20basic%20auth%20like%20Outlook%202013%20when%20not%20set%20to%20modern%20auth.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20title%3D%22O365%20How%20to%20Block%20Basic%20Auth%20for%20Exchange%20Online%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchang%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1627598%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20policies%20now%20apply%20to%20all%20client%20applications%20by%20default%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1627598%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Egreat%20news!%20Is%20a%20condition%20to%20skip%20for%20trusted%20locations%20in%20active%20sync%20now%20supported%3F%20Because%20it%20works%20perfectly%20but%20officially%20it%E2%80%99s%20unsupported.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eregards%2C%3C%2FP%3E%3CP%3EAndreas%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks,

When it comes to securing your organization, nothing is more effective than enabling multi-factor authentication (MFA) for your users. Whether using traditional methods like phone or token codes, or modern passwordless methods like the Authenticator, Windows Hello, or FIDO, MFA reduces the probability of account compromise by more than 99.9%. As part of adopting MFA, you should block legacy authentication endpoints that can’t support MFA. Legacy authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, making them preferred entry points for adversaries attacking your organization.


Organizations use Azure AD Conditional Access to enforce Zero-Trust Least-Privileged Access policies. Conditional Access allows you to determine access based on explicitly verified signals collected during the user’s sign-in, such as the client app, device health, session risk, or IP address. This is the best mechanism to block legacy authentication, but a recent analysis showed fewer than 16% of organizations with Conditional Access have policies that apply to sign-ins using legacy authentication protocols.

To help organizations more easily achieve a secure Zero Trust posture, we’re announcing 2 updates to help customers block legacy authentication:

  1. New Conditional Access policies will apply to legacy authentication clients by default.
  2. The client apps condition, including improvements to the client apps admin experience, is now in General Availability.

Daniel Wood, a program manager on the Conditional Access team, has written a blog to explain how these changes can help secure your organization. As always, please share your feedback below or reach out to intelligentaccesspm@microsoft.com with any questions.

Best regards,

Alex Simons (@Alex_A_Simons)

Corporate Vice President of Program Management

Microsoft Identity Division

 

-------

Hi everyone,

 

Today, I’m excited to announce we’re taking a big step forward in helping to make organizations more secure by changing the default Conditional Access configuration for new policies to apply to all client apps—including legacy authentication clients.

 

We’ve simplified the admin experience to make it easier for admins to create policies targeting modern authentication clients and legacy authentication clients. By default, all new Conditional Access policies will apply to all client app types when the client apps condition is not configured. Sign-ins from legacy authentication clients don’t support MFA and don’t pass device state information to Azure AD, so they will be blocked by Conditional Access grant controls, such as requiring MFA or compliant devices. If you have accounts which must use legacy authentication, you can grant them policy exceptions to keep them from being blocked.

 

If you want to create a Conditional Access policy that only targets legacy authentication clients, switch the client apps Configure toggle to Yes and deselect Browser and Mobile apps and desktop clients, leaving Exchange ActiveSync and Other clients selected.

 

clientapp1.jpg

 

And for those of you who manage your policies using the Microsoft Graph API, we’ve simplified the client apps schema with the release of the new Conditional Access API in v1.0 to match the new UX. Here’s an example of the new default configuration for the client apps condition when you create a new policy using the API.

 

clieantapp4.png

 

What about my existing Conditional Access policies?

If you have existing Conditional Access policies, they will continue to apply to the same client apps with no change. However, if you view an existing policy, we’ve made it easier to see which client apps are selected by removing the Configure Yes/No toggle. Existing policies where the client apps condition was not configured now look like this:

 

clientapp2.jpg

 

Understanding client app usage in your organization

Before creating a new policy, it’s good to understand who’s using legacy authentication in your organization. To see which client apps and protocols are being used in your organization during sign-in, simply navigate to the Sign-ins page and filter the results by client app type.

 

client app 3.jpg

 

Share your feedback!

We hope that these changes make it easier for admins to secure their organizations by blocking legacy authentication. As always, please share your feedback below or reach out to

daniel.wood@microsoft.com with any questions.

 

Thanks,

Daniel Wood (@Daniel_E_Wood)

Program Manager

Microsoft Identity Division

14 Comments

Cool, now if you can get them to apply to client credentials flow as well... :)

Frequent Visitor

Great stuff. It is also going to be great if we can manage Azure AD Powershell with conditional 

access.

Senior Member

Nice work!

New Contributor

I’m wondering how using Conditional Access to block legacy connections is supposed to impact Azure AD Identity Protection and the generic AAD Signins log. 

We have CA rules in place to block Legacy Auth (e.g. IMAP) and yet we still see opportunistic IMAP login attempts that show up as “Risky” in Identity Protection. They also appear in the Azure Signins log and seem to fail because the accounts are locked, not because CA has stopped them.

 

Is the problem that CA needs a successful authentication before it gets involved? Or does this sound crazy and I’ve probably done something wrong?

Senior Member

WOW!

Occasional Visitor

Until unauthorized access installs AAD Request Verification Service -PROD | Permissions, enterprise app. Your application can acquire a token to call a Web API hosted in your App Service or Function app on behalf of itself (not on behalf of a user). This scenario is useful for non-interactive daemon applications that perform tasks without a logged in user. It uses the standard OAuth 2.0 client credentials grant.   Be careful this is how the system is being compromised.   So be careful 

Frequent Contributor

I'm still waiting and keeping tabs on legacy auth because of the Surface Hubs using legacy auth. Hope to have that resolved soon. 

Regular Contributor

Thanks for that. It would be great if CA policies blocked after username too.

Occasional Contributor

Cool, that will save time! 

New Contributor

Prefect ,thank you 

Super Contributor

"If you have accounts which must use legacy authentication, you can grant them policy exceptions to keep them from being blocked."

It should be noted that in June of 2021 Microsoft will block legacy authentication - so don't get too comfortable with the exceptions.

So any new conditional access policy with selection "All cloud Apps" would support MFA for Legacy Authentications clients. ? would they now be prompted for MFA using IMAP, POP, SMTP? If so is this applicable the current existing rules as well

Senior Member

@mongie105 You need to use Authentication policy via Exchange powreshell. Check out this article explains how to block legacy auth before CA rules come into play because they won’t if you still allow basic auth for POP, IMAP and other legacy protocols. 

 

This will effect older apps and clients  that use basic auth like Outlook 2013 when not set to modern auth. 

https://docs.microsoft.com/en-us/exchang/clients-and-mobile-in-exchange-online/disable-basic-authent...


 

 

 

 

Senior Member

Hi Alex,

 

great news! Is a condition to skip for trusted locations in active sync now supported? Because it works perfectly but officially it’s unsupported.

 

regards,

Andreas