| title | Block legacy authentication with Conditional Access |
|---|---|
| description | Create a custom Conditional Access policy to block legacy authentication protocols. |
| ms.topic | how-to |
| ms.date | 04/01/2025 |
| ms.reviewer | calebb, lhuangnorth |
Microsoft recommends that organizations block authentication requests using legacy protocols that don't support multifactor authentication. Based on Microsoft's analysis more than 97 percent of credential stuffing attacks use legacy authentication and more than 99 percent of password spray attacks use legacy authentication protocols. These attacks would stop with basic authentication disabled or blocked.
Customers without licenses that include Conditional Access can make use of security defaults to block legacy authentication.
[!INCLUDE active-directory-policy-exclusions]
[!INCLUDE active-directory-policy-deploy-template]
The following steps help create a Conditional Access policy to block legacy authentication requests. This policy is put in to Report-only mode to start so administrators can determine the impact they have on existing users. When administrators are comfortable that the policy applies as they intend, they can switch to On or stage the deployment by adding specific groups and excluding others.
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access > Policies.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication. Microsoft recommends you exclude at least one account to prevent yourself from being locked out due to misconfiguration.
- Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly 'All cloud apps').
- Under Conditions > Client apps, set Configure to Yes.
- Check only the boxes Exchange ActiveSync clients and Other clients.
- Select Done.
- Under Access controls > Grant, select Block access.
- Select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
[!INCLUDE conditional-access-report-only-mode]
Note
Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access.
To understand if your users have client apps that use legacy authentication, administrators can check for indicators in the sign-in logs with the following steps:
- Sign in to the Microsoft Entra admin center as at least a Reports Reader.
- Browse to Entra ID > Monitoring & health > Sign-in logs.
- Add the Client App column if it isn't shown by clicking on Columns > Client App.
- Select Add filters > Client App > choose all of the legacy authentication protocols and select Apply.
- Also perform these steps on the User sign-ins (non-interactive) tab.
Filtering shows you sign-in attempts made by legacy authentication protocols. Clicking on each individual sign-in attempt shows you more details. The Client App field under the Basic Info tab indicates which legacy authentication protocol was used. These logs indicate users who are using clients that depend on legacy authentication.
Additionally, to help triage legacy authentication within your tenant use the Sign-ins using legacy authentication workbook.