At last week Microsoft published long waited feature to Conditional Access pipeline, ability to block legacy authentication and finally I had some time to test it. Realized that I need to test scenarios below and convince myself that this really works.
Tested from W8.1 client two CA policies which both recognizes legacy authentication (other clients below)
- CA policy which requires MFA for all cloud workloads
- CA Policy which blocks access to all cloud workloads
With Browser MFA prompt is coming as expected when MFA is required.
With PowerShell 0.9xxx CA recognizes legacy (basic) authentication and exception is thrown from shell when MFA is required.
When access to cloud workloads is totally blocked older PowerShell module states that “This account is blocked”
Just for curiosity had to check that’s not the case
Conditional Access (CA) has been quickly become one of the most popular Azure AD features Microsoft customers want to implement. Concept is excellent, with CA you will get one gate where manage access management to cloud resources.
Authentication types (docs.microsoft.com)
There are two authentication types in Office 365: legacy authentication and modern authentication. Some cloud apps also support legacy authentication protocols. This applies, for example, to SharePoint Online and Exchange Online. When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a conditional access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps. Examples for client apps conditional access does not apply to are:
- Office 2010 and earlier
- Office 2013 when modern authentication is not enabled
This can lead a situation where admin is not receiving MFA prompt even MFA is a requirement in authentication flow when using a client which doesn’t have support for modern authentication. Such application is older Azure AD PowerShell. If you are using PowerShell module 1.0 or lower and are using CA policies to enforce MFA for admin I highly encourage to test scenarios in your environment.
Conditional Access policy settings
Test Results – Table summarizes scenarios and results
Browser login with Windows 10 from internal network
Azure AD PowerShell module
Microsoft has done amazing work with conditional access concept and it’s one of the most popular Azure AD features but it has caveat which is the legacy authentication. There is workaround as always and if company security policy states that legacy authentication cannot be used it can be blocked:
- Service level (requires all applications used to support modern authentication)
- ADFS policies
Referring information from Microsoft, ability to block legacy authentication is coming to Conditional Access engine at near future but dates are still unknown.