Forum Discussion
MFA versus Conditional Access
It looks like CA and MFA wont work together to make my desired scenario work.
MFA 100% of the time on things that use legacy auth
Conditional MFA on things that use modern auth
Having protection against things like PowerShell is also going to be preferred. If I users credentials get compromised, i'm going to assume most hackers arent just gonna stroll right up to OWA to try and use it.
My personal opinion is to go with the more secure option - enforce MFA and *disable* app passwords. As mentioned above, there are email clients/apps with support for Modern auth on every platform nowadays, so that should not be a stopper.
- So is there a way to 100% block native email client access and scripting access (like PowerShell) using only Conditional Access (not plain Azure MFA)?
No. It's detailed in this article: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-no-modern-authentication
