To satisfy the access-protection intent of ECC 2-2-3, block older sign-in methods that cannot reliably enforce modern safeguards such as multi-factor authentication. You can block legacy authentication in Microsoft 365 Entra Conditional Access by creating a Conditional Access policy that targets legacy client apps and applies a Block access grant control, then testing it in report-only mode before enforcement.
For a small business without dedicated security staff, this is one of the highest-value Microsoft 365 identity settings: it prevents older email clients and protocols from submitting only a username and password to access company accounts. It does not replace the broader identity, password, MFA, authorization, privileged-access, and review requirements in ECC 2-2-3, but it provides strong technical evidence that your Microsoft 365 tenant is rejecting weak authentication methods.
What does it mean to block legacy authentication in Microsoft 365 Entra Conditional Access?
Legacy authentication is an older sign-in method used by some email clients, mobile mail apps, and protocols such as older Exchange ActiveSync, POP, IMAP, and SMTP configurations. These connections may submit a password directly and may not support modern authentication prompts, MFA challenges, device checks, or risk-based controls.
Microsoft Entra Conditional Access can identify these connections through the Client apps condition. A policy configured to block Exchange ActiveSync clients and Other clients stops legacy sign-ins while allowing modern Microsoft 365 applications, such as current Outlook, Teams, SharePoint, OneDrive, and browsers, to continue using modern authentication.
You need Microsoft Entra ID P1 licensing for the users covered by Conditional Access. Microsoft 365 Business Premium includes this capability. If you use Microsoft 365 Business Basic or Business Standard alone, confirm your licensing before relying on Conditional Access as evidence of implementation.
How do I configure the policy in Microsoft Entra?
Before switching anything on, identify accounts that may still use older mail settings. Common examples are multifunction printers that scan to email, accounting software that sends invoices, CRM systems, and old mobile email applications. These must be moved to a supported modern-authentication method or a documented secure alternative before you enforce the policy.
-
Sign in with a suitable administrator account.
Go to
https://entra.microsoft.comand sign in using an account with the Conditional Access Administrator, Security Administrator, or Global Administrator role. Do not use a daily email account that has unnecessary Global Administrator privileges. -
Open Conditional Access policies.
In the left navigation, select Entra ID, then select Conditional Access, then select Policies.
-
Create the policy.
Select New policy. In the Name field, enter a clear name such as:
CA - Block legacy authentication - All users
Using a descriptive name helps an assessor and your future IT provider understand the policy without opening every setting.
-
Select the users the policy will protect.
Under Assignments, select Users or workload identities. Select Users and groups, choose All users, and then select Exclude.
Exclude only your designated emergency-access accounts, sometimes called break-glass accounts. Microsoft recommends maintaining two cloud-only emergency accounts with long, unique passwords stored securely and monitored for any use. Do not exclude your own normal administrator account merely for convenience.
-
Target Microsoft 365 resources.
Under Target resources, select Cloud apps. Choose All resources. This is the simplest and most protective setting because a legacy client might attempt to access more than just Exchange Online.
-
Select the legacy client types.
Under Conditions, select Client apps. Set Configure to Yes. Under Modern authentication clients, leave all options unselected. Under Legacy authentication clients, select both:
- Exchange ActiveSync clients
- Other clients
Select Done. The “Other clients” option is important because it covers many older clients and protocols that do not support modern authentication.
-
Block the connection.
Under Access controls, select Grant. Select Block access, then select Select.
-
Start in report-only mode.
At the bottom of the policy page, set Enable policy to Report-only. Select Create. Report-only mode records what would have been blocked without interrupting email or business systems.
What should the finished policy look like?
| Policy setting | Recommended value | Why it matters |
|---|---|---|
| Name | CA - Block legacy authentication - All users | Creates understandable audit evidence. |
| Users | All users, excluding emergency-access accounts only | Prevents unmanaged gaps in coverage. |
| Target resources | All resources | Protects Microsoft 365 and other Entra-integrated apps. |
| Client apps | Exchange ActiveSync clients; Other clients | Identifies legacy authentication attempts. |
| Grant | Block access | Rejects the sign-in rather than requesting MFA. |
| Initial state | Report-only | Lets you find business dependencies safely. |
How do I verify that the legacy-authentication block took effect?
Leave the policy in report-only mode for at least seven days and preferably through a normal business cycle that includes invoicing, scanning, payroll, and automated reporting. During this period, check whether old systems or users would be affected.
-
Review report-only results.
In the Entra admin center, go to Entra ID, Monitoring & health, then Sign-in logs. Add or use filters for the relevant date range, affected user, and application. Open an individual sign-in event and select the Conditional Access tab.
-
Look for your policy by name.
The policy result should show Report-only: Success or indicate that the policy would have applied. Review the Client app value in the sign-in details. Legacy attempts commonly appear as Other clients or Exchange ActiveSync.
-
Fix legitimate dependencies.
If a printer, application, or employee device would be blocked, do not permanently exclude it from the policy without approval and documentation. First, update the application, configure modern authentication, use a supported connector, or replace the unsupported software. If a narrowly scoped exception is genuinely necessary, document the business owner, risk, compensating control, approval, and expiry date.
-
Turn on enforcement.
Return to Entra ID, Conditional Access, Policies, and select CA - Block legacy authentication - All users. Change Enable policy from Report-only to On, then select Save.
-
Confirm a blocked event after enforcement.
Review Sign-in logs again after the policy is on. For a legacy-authentication attempt, the Conditional Access tab should show the policy applied and access blocked. Do not test using your only administrator account or by deliberately breaking a critical mailbox.
You can also use the policy simulation tool at Entra ID > Conditional Access > What If. Select a test user, choose the relevant cloud app, and select a legacy client-app type to confirm that the policy evaluation should result in a block.
What evidence should I capture for an ECC 2-2-3 assessor?
For ECC 2-2-3, an assessor needs more than a verbal statement that old authentication is disabled. Capture evidence that shows the configuration, its scope, its enforcement state, and proof that it is operating.
- A screenshot of the Conditional Access policy overview showing the policy name and On status.
- A screenshot of Users or workload identities showing All users and only documented emergency-access exclusions.
- A screenshot of Target resources showing All resources.
- A screenshot of Conditions > Client apps showing Exchange ActiveSync clients and Other clients selected.
- A screenshot of Grant showing Block access.
- A screenshot of an Entra sign-in log event showing the policy result on the Conditional Access tab.
- A CSV export of relevant sign-in logs, using Download or Export data settings where available, retained with the assessment records.
- Your approved Identity and Access Management Policy, including the requirement to use unique accounts, MFA for remote access, modern authentication, and periodic access review.
- A short management approval record, such as an owner-signed policy approval or approval email, showing who approved the control and date.
Where does Conditional Access fall short of ECC 2-2-3?
A Conditional Access legacy-authentication block is an important technical control, but it is not full compliance with ECC 2-2-3 by itself. It addresses one practical weakness in username-and-password authentication and supports MFA enforcement, but the practice contains wider identity and access management requirements.
| ECC 2-2-3 area | What Conditional Access does | What you still need |
|---|---|---|
| Unique identities and passwords | Can apply sign-in restrictions by user. | Approved password standard, unique named accounts, secure onboarding and offboarding procedures. |
| MFA for remote access | Can require MFA for Microsoft 365 and supported applications. | A separate MFA policy for remote access, VPN access, and documented authentication-factor requirements. |
| Least privilege and segregation of duties | Can restrict access based on identity, app, device, location, and risk. | Role design, approval workflow, group-based access assignments, and documented business justification. |
| Privileged access management | Can protect administrator sign-ins with stronger conditions. | Separate admin accounts, limited administrator roles, privileged-access procedures, and review of administrator logs. |
| Periodic access review | Provides sign-in and policy logs. | A scheduled review of users, admin roles, group memberships, inactive accounts, and application access. |
For a small organization, the practical next step after you block legacy sign-ins is to create a second Conditional Access policy requiring MFA for all users and then document a quarterly review of user accounts, administrator roles, and Microsoft 365 group access.