At least one Conditional Access policy blocks legacy authentication
entra_legacy_authentication_blocked
Microsoft Entra Conditional Access has an active policy that blocks legacy authentication for All users and All cloud apps by targeting legacy client app types (e.g., Exchange ActiveSync, other basic-auth clients) and enforcing Block access.
Risk
Allowing legacy authentication enables password spray and credential stuffing that bypass MFA, leading to account takeover. Compromised sessions threaten confidentiality (mail, files), integrity (settings, data changes), and availability, and enable lateral movement across Microsoft 365.
prowler m365 --checks entra_legacy_authentication_blocked
Recommendation
Enforce a tenant-wide policy to block legacy authentication for All users and All cloud apps, targeting legacy client app types. Migrate apps and devices to modern authentication. Keep minimal, monitored exclusions for break-glass/service accounts, prefer managed identities, and apply zero trust and least privilege.
Remediation
az rest --method post --url https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies --body '{"displayName":"<example_policy_name>","state":"enabled","conditions":{"users":{"includeUsers":["All"]},"applications":{"includeApplications":["All"]},"clientAppTypes":["exchangeActiveSync","other"]},"grantControls":{"builtInControls":["block"],"operator":"OR"}}'
- Go to Microsoft Entra admin center > Protection > Conditional Access > Policies
- Click New policy
- Users: Include > All users
- Target resources (cloud apps): Include > All apps
- Conditions > Client apps: Configure = Yes; select only Exchange ActiveSync clients and Other clients
- Grant > Block access > Select
- Enable policy: On, then Create
Source Code
Resource Type
NotDefined