Nov 15 2020
08:42 PM
- last edited on
Jan 14 2022
04:27 PM
by
TechCommunityAP
Nov 15 2020
08:42 PM
- last edited on
Jan 14 2022
04:27 PM
by
TechCommunityAP
Hi all
I configured Conditional Access for some of my users using the following configuration.
Users and Groups: Users1,User2, User3
All Cloud Apps
Conditions: Any Device
Client Apps: Browser, Mobile Apps, Legacy: Exchange ActiveSync, Other Clients
Grant: Require Multi-Factor Authentication
one of the users configured Gmail Client to connect to Exchange, and even the policy is applied Gmail client still able to connect without MFA requirement, untill I block the device from Exchange Web interface.
Did I miss any thing in the configuration.?!
Dec 16 2020 02:18 PM
@niazstinu Hi!
First of all, in your policy you are including legacy protocols. Those protocols should be blocked from the end-users due to security reasons. Those protocols will go end-of life within the Office 365 platform during 2021.
The gmail app is most likely using an legacy protocol, and not Modern Authentication and therefore the application won't be able to use MFA.
I would suggest to move to Outlook for Android / Outlook for iOS and I would create the following policies:
Policy Name: Block Access - Legacy Authentication
User and Groups:
Include: anysecuritygroup/enduser
Exclude: anybreaktheglassaccount@xx.com
Cloud apps:
Include: Office 365
Condition
Location:
Include: Any Location
Client apps:
Include: Other clients
Include: Exchange ActiveSync clients
Access Controls:
Block Access
-------
Policy Name: Grant Access - Mobile and Desktop Apps who use Modern Authentication (Require MFA)
User and Groups:
Include: anysecuritygroup/enduser
Exclude: anybreaktheglassaccount@xx.com
Cloud apps:
Include: Office 365
Conditions:
Locations:
Include: Any Location
Client Apps:
Include: Mobile apps and desktop clients
Access Controls:
Allow access through requiring MFA Challenge
Dec 25 2020 03:55 AM