Securing the Modern Workplace: Transitioning from Legacy Authentication to Conditional Access
Authored by: Gonzalo Brown Ruiz, Senior Microsoft 365 Engineer & Cloud Security Specialist Date: July 2025 Introduction In today’s threat landscape, legacy authentication is one of the weakest links in enterprise security. Protocols like POP, IMAP, SMTP Basic, and MAPI are inherently vulnerable — they don’t support modern authentication methods like MFA and are frequently targeted in credential stuffing and password spray attacks. Despite the known risks, many organizations still allow legacy authentication to persist for “just one app” or “just a few users.” This article outlines a real-world, enterprise-tested strategy for eliminating legacy authentication and implementing a Zero Trust-aligned Conditional Access model using Microsoft Entra ID. Why Legacy Authentication Must Die No support for MFA: Enables attackers to bypass the most critical security control Password spray heaven: Common vector for brute-force and scripted login attempts Audit blind spots: Limited logging and correlation in modern SIEM tools Blocks Zero Trust progress: Hinders enforcement of identity- and device-based policies Removing legacy auth isn’t a nice-to-have — it’s a prerequisite for a modern security strategy. Phase 1: Auditing Your Environment A successful transition starts with visibility. Before blocking anything, I led an environment-wide audit to identify: All sign-ins using legacy protocols (POP, IMAP, SMTP AUTH, MAPI) App IDs and service principals requesting basic auth Users with outdated clients (Office 2010/2013) Devices and applications integrated via PowerShell, Azure Sign-In Logs, and Workbooks Tools used: Microsoft 365 Sign-In Logs Conditional Access insights workbook PowerShell (Get-SignInLogs, Get-CASMailbox, etc.) Phase 2: Policy Design and Strategy The goal is not just to block — it’s to transform authentication securely and gradually. My Conditional Access strategy included: Blocking legacy authentication protocols while allowing scoped exceptions Report-only mode to assess potential impact Role-based access rules (admins, execs, vendors, apps) Geo-aware policies and MFA enforcement Service account handling and migration to Graph or Modern Auth-compatible apps Key considerations: Apps that support legacy auth only Delegates and shared mailbox access scenarios BYOD and conditional registration enforcement Phase 3: Staged Rollout and Enforcement A phased approach reduced friction: Pilot group enforcement (IT, InfoSec, willing users) Report-only monitoring across business units Clear communications to stakeholders and impacted users User education campaigns on legacy app retirement Gradual enforcement by department, geography, or risk tier We used Microsoft Entra’s built-in messaging and Service Health alerts to notify users of policy triggers. Phase 4: Monitoring, Tuning, and Incident Readiness Once policies were in place: Monitored Sign-in logs for policy match rates and unexpected denials Used Microsoft Defender for Identity to correlate legacy sign-in attempts Created alerts and response playbooks for blocked sign-in anomalies Results: 100% of all user and app traffic transitioned to Modern Auth Drastic reduction in brute force traffic from foreign IPs Fewer support tickets around password lockouts and MFA prompts Lessons Learned Report-only mode is your best friend. Avoids surprise outages. Communication beats configuration. Even a perfect policy fails if users are caught off guard. Legacy mail clients still exist in vendor tools and old mobile apps. Service accounts can break silently. Replace or modernize them early. CA exclusions are dangerous. Every exception must be time-bound and documented. Conclusion Eliminating legacy authentication is not just a policy update — it’s a cultural shift toward Zero Trust. By combining deep visibility, staged enforcement, and a user-centric approach, organizations can securely modernize their identity perimeter. Microsoft Entra Conditional Access is more than a policy engine — it is the architectural pillar of enterprise-grade identity security. Author’s Note: This article is based on my real-world experience designing and enforcing Conditional Access strategies across global hybrid environments with Microsoft 365 and Azure AD/Entra ID. Copyright © 2025 Gonzalo Brown Ruiz. All rights reserved.
A Method to track current and upcoming changes to M365 Products
Good evening (from Ireland at least), I've spent most of today traipsing down a variety of dead-ends and soon-to-be-discontinued features looking to create a useful location where I can find/send all new updates to products that I can peruse and ultimately highlight ones that may be of particular importance in my organisation. I've had a long chat with Copilot today and while I've made significant progress in some areas (had upwards of 30 great questions according to Copilot! ;P), when it comes to the final product, there's always some missing connector, or some RSS feed that is no longer supported. What I'm looking for here is any input on how you manage to stay ahead of changes and I'll share everything I'm doing and have learned as well, in the hope that the discussion is somewhat mutually beneficial. What I do: Message Centre: Manually check the Message Center (under Service Health in M365 Admin Center). You can sort by product here and by relevance which is quite handy. Link: https://admin.cloud.microsoft/?#/MessageCenter (Access to the M365 Admin Center on your tenant is required for this). Today I found out you can also send emails to yourself (and Teams channels) here so awaiting the next message to see if this has worked. Unfortunately, there doesn't seem to be a way of migrating past messages over so I'll have to go through these myself first. Road Maps: These have been the bane of my day. Currently, I actively check the road maps of the products I manage but going forward, I'd like to be able to track major changes to products used in my organisation so I can give users a heads up. I initially tried Power Automate to send updates to myself, however, it's not a feature widely used in our org yet and isn't well supported, so I wasn't too surprised when my efforts were blocked by existing policy. Not long after, I found RSS feeds, which seemed to be the answer to my problems. I created RSS Feeds for each of the Road Maps that I found useful, assured by Copilot that these would work. The assurance wasn't fell founded however as, true to form, once I showed Copilot by errors, they remembered that they were there all along! :') I'm yet to find a useful solution here beyond my current efforts so any assistance would be greatly appreciated. Community Blogs The final recommendation was these Community Blog posts which, to be fair, I've had immense success with to date. However, there is a slight issue with filtering. While I did finally get the RSS Feed to work on something (the Tech Comm M365 RSS Feed), it did then proceed to send me a mass of emails on every topic under the Sun & Moon. I've decided to return to the drawing board tomorrow with this, but I'm content in knowing that RSS isn't just a myth at least. I think what I'd like here is just to receive notifications when approved Blogs are posted (i.e., Monthly OneDrive Updates and the equivalent for other products). OneDrive Office Hours: This is a fansastic resource I do use every month as it gives you the opportunity to get in contact with the people who know the most about the product and the issues you're facing. I've spent weeks in a ticket before, only to raise it in one of these meetings and get a solution that took half an hour to set up. You'll get a yes or a no, but at least you'll have an answer. Copilot Chat: I don't have the full Copilot license because I haven't had a need for it yet. Everything I've wanted to do, I've been able to do in Copilot Chat. We haven't yet looked too much into Agents, and as a Public body, aren't going to rush into it until we know it's viable and can be supported. In the interim, I'm happy to test the waters with Copilot Chat asking it for Monthly Summaries on a variety of products, time frames, etc. It isn't perfect but it's faster than I am. It can find the sources for me and I can take it from there. As an organisation, we'll be pushing out all users on the most recent version (-1) on the Monthly Enterprise Channel. This means that they'll be supported whilst also being shielded from any brand new features. Our team will be on the most recent version and will be able to note any upcoming changes ahead of time. These are what I'm using so far but would be very grateful for any further input. Thanks in advance, Chris Martin
Migrating from Google Workspace with Multiple Domains
I am interested in switching from Google Workspace to Microsoft 365 for Business. For context, I just use this personally, but enjoy the custom email and control over my account. I want to switch over because the only product that I use is Gmail, and pay for an additional Microsoft 365 subscription. While I won't be saving any money, or the savings will be negligible, it would be nice to have everything in one ecosystem. I've looked over how to migrate just one domain, and that seems fairly straight forward. However, I am wondering how feasible it would be to transfer multiple domains, and to switch my primary domain. Below is the structure of my current Google Workspace domains: - domain1.com | This is used as my primary domain that I log into. Also serves as my primary email. - domain2.com | Used as an additional email alias for different purposes. Not used for logging in. - domain3.com | Used as an additional email alias for different purposes. Not used for logging in. If I wanted to keep domain1.com as my primary domain, I assume that I would do the standard migration and then add domain2.com and domain3.com as additional email aliases. However, I want to switch my primary domain in Microsoft 365 to domain2.com. Is there any way to migrate emails from Google Workspace that's on domain1.com --> domain2.com via Microsoft 365 and make domain2.com the primary domain? I know that this is a lot, so please ask for clarification if needed. Thanks!
No labs for MB-500 in skillable and xtreme labs (for all MB series)
Hi, From past few months, we are unable to find the labs for MB-500. It's causing us trouble to do the trainings. Skillable and Xtreme labs providers are saying there is a problem from Microsoft end only. Kindly advise us when can we get the labs available.
What is the best way to collaborate between two organizations with Teams?
Hello, I have a Microsoft 365 Business Standard account, and I am the administrator (currently, my Microsoft 365 organization only has one account, mine). I want to configure my Teams account to collaborate with members of another organization who also use Microsoft 365 Business. I have tried several solutions, without success. My goal is to be able to chat online, schedule and organize virtual meetings, and share documents online with members of the other organization via Teams. What is the best way to set up simple and intuitive collaboration between two organizations using Microsoft 365 Business? Thank you in advance for your help.Microsoft Baseline Security Mode Rolls Out
Microsoft has released a set of security benchmark recommendations for Microsoft 365 tenants that it calls baseline security mode. The recommendations cover authentication, file access, and Teams and the idea is that these are settings that Microsoft believes have proven their value over the years. The only criticism that you might have is about the potential clash for conditional access policies, but that’s not too serious. https://office365itpros.com/2025/12/15/baseline-security-mode/Third-party access via Organisational Link
Hi, Previously when logging into my personal account on a Web Browser, it flashed up with what is the typically an organisational message about an IT administrator. After being ping-ponged back and forth from the Microsoft Support teams, it's been suggested there is an organisational link with my personal email account, which absolutely should NOT be the case. My concern is if someone has linked my email with an organisational account, then they are privy to a lot sensitive information from personal finances to healthcare (this has also correlated with some odd behaviour on certain devices). The agents that I have spoke to have not yet provided me with a viable solution to removing any links to an organisational account, nor getting a list of any organisations or entities that have been linked to my personal account. Does anyone have any ideas as to a way around this? Many thanks.
