Its been a week since I blogged, Today I am writing about various ways that Office 365 admin can block legacy authentication and the order in which it is applied.
In the long past for one of our customers, we had implemented the script that disables POP/IMAP on exchange online at mailbox level.
Set-CASMailbox -Identity sukhija1 -ImapEnabled:$false
Set-CASMailbox -Identity sukhija1 –PopEnabled:$false
Customer contacted us and said why this success for IMAP is coming in Azure AD audit logs, if it is blocked.
At first, we also got confused but after some thought and verifying it with Microsoft it is expected, only authentication is passed but user is still blocked on accessing anything by using IMAP protocol.
So how to avoid this?
Answer lies in the order in which different legacy authentication blocks are applied.
- Conditional Access Policy
- CAS Mailbox
Both Conditional Access Policy and CAS mailbox are applied after the authentication layer, only New-AuthenticationPolicy is applied before the authentication. (refer for details :
Disable Basic authentication in Exchange Online)
With New-AuthenticationPolicy block will happen even before the authentication, see below picture depiction:
Create the authentication policy by using the below cmdlet:
New-AuthenticationPolicy -Name “Block Basic Auth”
To apply the authentication policy to the user use:
Set-User -Identity firstname.lastname@example.org -AuthenticationPolicy “Block Basic Auth”
If you need granularity and want to do it at specific protocol level (refer below link for details:)
With this small post I want to touch base on this aspect of legacy authentication block as same query can be directed towards you and now you will be able to answer it with an explanation.
Thanks for reading…