Control: 5.2.2.3 Enable Conditional Access policies to block legacy authentication
Description
Entra ID supports the most widely used authentication and authorization protocols including legacy authentication. This authentication pattern includes basic authentication, a widely used industry-standard method for collecting username and password information.
The following messaging protocols support legacy authentication:
- Authenticated SMTP - Used to send authenticated email messages.
- Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
- Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.
- Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multifactor authentication.
- Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.
- IMAP4 - Used by IMAP email clients.
- MAPI over HTTP (MAPI/HTTP) - Primary mailbox access protocol used by Outlook 2010 SP2 and later.
- Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.
- Outlook Anywhere (RPC over HTTP) - Legacy mailbox access protocol supported by all current Outlook versions.
- POP3 - Used by POP email clients.
- Reporting Web Services - Used to retrieve report data in Exchange Online.
- Universal Outlook - Used by the Mail and Calendar app for Windows 10.
- Other clients - Other protocols identified as utilizing legacy authentication.
Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.
Note: Basic authentication is now disabled in all tenants. Before December 31 2022, you could re-enable the affected protocols if users and apps in your tenant couldn't connect. Now no one (you or Microsoft support) can re-enable Basic authentication in your tenant.
Remediation
To remediate using the UI:
- Navigate to the
Microsoft Entra admin centerhttps://entra.microsoft.com. - Click expand
Protection>Conditional AccessselectPolicies. - Create a new policy by selecting
New policy.
- Under
UsersincludeAll users. - Under
Target resourcesincludeAll cloud appsand do not create any exclusions. - Under
ConditionsselectClient appsand check the boxes forExchange ActiveSync clientsandOther clients. - Under
GrantselectBlock Access. - Click
Select.
- Set the policy
Onand clickCreate.
Default Value
Basic authentication is disabled by default as of January 2023.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v400_5_2_2_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v400_5_2_2_3 --shareSQL
This control uses a named query:
with block_legacy_authentication as ( select tenant_id, count(*) from azuread_conditional_access_policy where client_app_types ?& array['exchangeActiveSync', 'other'] and built_in_controls ?& array['block'] and users -> 'includeUser' ?& array['All'] and jsonb_array_length(users -> 'excludeUser') != 0 group by tenant_id),tenant_list as( select distinct on(tenant_id) tenant_id, _ctx from azuread_user)select tenant_id as resource, case when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then 'ok' else 'alarm' end as status, case when (select count from block_legacy_authentication where tenant_id = t.tenant_id) > 0 then tenant_id || ' has Conditional Access policies enabled.' else tenant_id || ' has Conditional Access policies disabled.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t;