cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Legacy Auth Conditional Access

Jeff Harlow
Iron Contributor

‎Apr 08 2021 06:47 AM

‎Apr 08 2021 06:47 AM

Legacy Auth Conditional Access

Of those that have enabled the Block Legacy Auth via Conditional Access, were there any surprises or unexpected turn of events by doing so? 

 

I been watching the Sign in Logs for legacy authentications and taking care of any accounts that were still using them. I believe I have taken care of them all. So, I created a conditional access to block those protocols but set it to Report-Only.  However, two days later, I do not see anything under Report-Only on the Sign in Logs. I do see the policy under the Conditional Access tab and results is Not Applied, which in report-only mode, would make sense. Also going to the Insights, let's just say that does not make any sense at all.  

 

Just wanted to get some feedback on those that have done this on their tenant and how successful it was to implement.  Thanks. 

836 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Apr 08 2021 09:57 AM

‎Apr 08 2021 09:57 AM

Re: Legacy Auth Conditional Access

You can always add exceptions as necessary, even adding a blank "exclude everything from my trusted locations" rule will greatly reduce your exposure to brute force attacks and such. Usually, it's the multi-functional devices, app integrations and automated scripts that cause trouble, but of course it varies from org to org.
0 Likes
Reply
Jeff Harlow

‎Apr 08 2021 07:07 PM

‎Apr 08 2021 07:07 PM

Re: Legacy Auth Conditional Access

Where is this rule "exclude everything from my trusted locations" ? Can that be applied to the Basic Auth Condition?
0 Likes
Reply
Vasil Michev

‎Apr 08 2021 11:05 PM

‎Apr 08 2021 11:05 PM

Re: Legacy Auth Conditional Access

This: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
You can configure it as an exception to your policies, so that legacy auth is still allowed for any request coming from said location/IP ranges. You should only use this as a temporary solution though, getting rid of basic auth should still remain the goal.
0 Likes
Reply