I have had a few projects now where one of the security requirements for Office 365 was to implement a conditional access policy that blocked legacy authentication (also known as basic auth). What this block does is enforce modern authentication for all clients. Any clients not using modern authentication will be denied access to all Office 365 resources.
In each of these projects, these security policies were enforced prior to moving any mailboxes to Exchange Online. In each case we ran into the same two symptoms:
- The Outlook client (which supported modern authentication) failed to reconfigure after a mailbox migration to Exchange Online
- Any on-premises users with permissions to a migrated mailbox were now getting a continuous basic authentication prompt
How the conditional access policy was configured
In all cases, the conditional access policy was scoped to all users and all cloud apps.
Conditions scoped under Client Apps were set to include Mobile apps and desktop clients with a subitem of Other clients. No other conditions were set. The access control was to Block access.
Note: “Other clients” includes clients that use basic/legacy authentication, and do not support modern authentication. Reference: Conditional Access: Conditions
After we migrated a mailbox and Outlook failed to reconfigure (continuous legacy auth prompts) we could see the failure under Azure AD Sign-Ins. Oddly our Outlook client (Office ProPlus) which supported modern authentication was being blocked due to legacy authentication.[Read more…] about RPC/HTTP & Block Legacy Auth may prevent Outlook reconfiguration after migrating to Exchange Online