Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Enable Conditional Access policies to block legacy authentication(PowerShell)

Copper Contributor

I need to automate Conditional Access policies to block legacy authentication.

So I am facing challenges in PowerShell scripts.

why? Legacy authentication protocols do not support multi-factor authentication. These
protocols are often used by attackers because of this deficiency. Blocking legacy
authentication makes it harder for attackers to gain access.

So I am looking scripts to block legacy authentication.

3 Replies
So... You want to disable legacy authentication in your tenant by using Conditional Access? (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authenticati...) And you want to use PowerShell scripts to create those Conditional Access policies, but you can't? Did you try https://practical365.com/using-powershell-to-manage-conditional-access-ca-policies/ ?

Or.. Do you want to keep on using PowerShell scripts and think that you can't anymore after enabling Conditional Access rules blocking legacy authentication? For Exchange Online for example you can use certifcate based authentication (https://thecloudtechnologist.com/2020/09/05/use-powershell-to-connect-to-exchange-online-unattended-...) or with a Service Principal (https://docs.microsoft.com/en-us/powershell/azure/active-directory/signing-in-service-principal?view...)
I don't see the need to do it via a powershell script?
If you have access to the Azure portal you can setup the conditional access policy to block legacy authentication pretty easy.

Fair warning though - you should have a look at the sign-in logs of the company to see who is using the legacy authentication before blocking it completely. Many companies have service accounts that do not support MFA, so you need to know those account and exclude them before hand - unless you want a lot of angry phonecalls :D