Block Access to legacy Apps using Azure AD conditional Access in Office 365

Blocking Legacy app access for office 365 mailboxes using Azure Conditional Access rule

What are the Legacy Apps: Legacy app are those apps which do not support the Modern authentication method also known as 2nd-factor authentication.

Why we should block Legacy App access:  If you have implemented the MFA and allow mailbox access outside the organization network, then in case user credentials are compromised, an attacker can use these apps to gain access to the user mailbox.

Example Apps: Below I am using the EWS editor and ThunderBird, even though the MFA for the user is enforced, I still could access the user mailbox.


Preventative action: Implement the Azure conditional access rule to block access to legacy apps.
So even though I can disable IMAP/POP and EWS access for the mailboxes at the mailbox level, but there may still be some mailboxes where you need to enable these protocols, so in such situation, we would want access to these mailboxes to be prevented outside of the organization network.
Policy: Below is the policy I created to block the access to legacy apps, we just need to select the “Other clients” under Client Apps, to allow access of trusted network we can select the trusted IPs locations from the location section.


Once we enabled the policy it took 24 hours before the policy was in effect, disabling the policy allowed access back in few mins.

Below screenshot shows the behavior on connected thunderbird client.


EWS connection would also be refused with the error below.


This complete my post on blocking access to legacy apps, I hope this has been informative.

Comments