On Wednesday June 30, I spoke at the monthly user group meeting of the Microsoft 365 Security & Compliance user group. The Microsoft 365 Security & Compliance user group is based in the UK and UK based user group consists of Alan Eardley (@al_eardley) and Peter Rising (@M365Rising)
The meeting will started with a very interesting session from Sergey Chubarov, who is a Microsoft Azure MVP and his session was titled “Hackers won’t pass – Microsoft 365 Defender in action”. Sergey made hacking a Windows machine look like child splay, and I would definitely recommend following one of his sessions if you have the chance. He will be speaking at the Workplace Ninja Virtual Edition 2021 in August for example.
After the session of Sergey, my session started and was about: “Azure AD Conditional Access Demystified – June 2021 edition“. The session was not recorded but you can find the slides I used for your reviewing pleasure on my Github page here: M365 Security and Compliance UG – Conditional Access Demystified – 30062021.pdf
During the session I was asked the following question by Ru Campbell, @rucam365 on Twitter which in my memory I didn’t answer correctly. His question was: “if you have a grant access requirement such as MFA or device compliance, does this block legacy auth for users/apps in scope too? Or does legacy auth bypass the requirement?“
I believe I answered that in order to MFA to be enforced you must also block legacy authentication, but this is not fully true anymore since Microsoft made a change in November last year, where they announced that new CA policies will apply to legacy authentication clients by default. This means that if your policy requires MFA or some other grant control that legacy auth clients can’t support, sign-in will be blocked.
I still do recommend to create a CA policy blocking legacy authentication though.