Microsoft Entra: How to Block Legacy Authentication Using Conditional Access
Last Updated on 19. July 2025
Protocols such as POP3, IMAP, SMTP, or MAPI rely on outdated authentication methods known as legacy authentication. These methods do not support modern security mechanisms such as multi-factor authentication (MFA), making them a preferred entry point for attackers.
Microsoft highlights the risk with striking figures:
- more than 99% of password spray attacks use legacy authentication protocols
- more than 97% of credential stuffing attacks use legacy authentication
- Organizations that have disabled legacy authentication experience 67% fewer successful attacks
Source: New tools to block legacy authentication in your organization | Microsoft Community Hub
This makes it all the more important to detect and block the use of legacy authentication. This article provides a step-by-step guide on how to identify legacy authentication in the Microsoft Entra Sign-in logs and block it using Microsoft Entra Conditional Access.
Prerequisites and Licensing
Licensing
Blocking legacy authentication requires Microsoft Entra Conditional Access, which is included in the following plans:
- Microsoft Entra ID P1 or higher
A current overview of Microsoft 365 plans and their feature sets is available at https://m365maps.com/.
Roles
The following roles are suitable for blocking legacy authentication, following the principle of least privilege:
| Role | Description |
| Reports Reader | Read and Filter Microsoft Entra Sign-In Logs |
| Conditional Access Administrator | Configure and Manage Microsoft Entra Conditional Access |
Identify Vulnerable Client Apps
Before blocking legacy authentication, the sign-in logs in Microsoft Entra ID reveal which accounts are still using outdated authentication methods to access client applications.
Microsoft Entra admin center (https://entra.microsoft.com) > Entra ID > Users > Sign-in logs
- Add the Client App column to the sign-in log
- Define the time range for the analysis
- Add the Client App as a filter criterion
- Select all legacy authentication clients
The filtered view shows which sign-ins still rely on legacy authentication methods and should be reviewed in detail before applying a Microsoft Entra Conditional Access policy.
Blocking Legacy Authentication
Once there are no remaining dependencies on legacy authentication, access using outdated authentication methods can be blocked through Microsoft Entra Conditional Access.
Microsoft Entra admin center (https://entra.microsoft.com) > ID Protection > Risk-based Conditional Access > New policy
Assign a Name to the Microsoft Entra Conditional Access policy.
Naming conventions are described here: Plan a Microsoft Entra Conditional Access deployment – Microsoft Entra ID | Microsoft Learn
Select Users for this policy.
The policy applies to all user accounts. In exceptional cases, targeted exclusions can be defined. Emergency Accounts should be excluded.
Set the Target resources to All cloud resources (formerly All cloud apps).
Under Conditions > Client apps > Legacy authentication clients, select the options Exchange ActiveSync clients and Other clients.
Under Grant, select the option Block access.
Enable the policy by setting it to On, then select Create to save it.
The policy to block legacy authentication is now configured and active.
Fresh content, explained with practical relevance. Stay up to date via LinkedIn and Bluesky.
No marketing. No noise. Just content.
If this post was helpful, a coffee brings back the rich aroma behind the writing.
