IBP-IDENTITY-All Apps: [Block Legacy Auth] For [All Users]

✅ Block all legacy authentication protocols (Basic Auth) across the entire tenant to prevent unauthorised or insecure sign‑ins.
➡️ This enforces modern authentication only, strengthening identity security and reducing credential‑based attacks.

✅ Users: All users
🚫 Exclusions: One exception group (commonly used for break‑glass or legacy‑migration accounts)

➡️ All users are blocked from legacy authentication unless they are in the excluded exception group.

✅ Applications: All cloud applications
✅ Client types:

➡️ Any legacy authentication attempt to any Microsoft cloud service is blocked.

✅ Client App Types targeted:

➡️ This aligns with Microsoft’s recommended configuration for tenant‑wide legacy auth blocking.

✅ Grant control:

➡️ No fallbacks. No MFA option. No alternative grant.
All legacy authentication attempts are immediately rejected.

This control ensures the tenant uses modern OAuth 2.0 authentication only, significantly reducing password spraying, credential stuffing, and session hijacking attacks.

🚫 MFA requirements
🚫 Device compliance
🚫 Location restrictions
🚫 Platform restrictions
🚫 Risk‑based evaluation
🚫 Session controls

➡️ The policy focuses exclusively on blocking legacy protocols.

✅ Enabled
➡️ Actively blocking all legacy authentication attempts.

✅ Aligns with Microsoft best practice and modern identity hardening
✅ Eliminates insecure authentication pathways
ℹ️ This is foundational for Zero Trust and supports Essential Eight uplift by reducing attack surface.

This Conditional Access policy ensures that:

✅ Every user
✅ Accessing any Microsoft cloud application
❌ Cannot authenticate using legacy protocols

Only modern, secure authentication is allowed.

This reduces identity compromise risk, protects against common attack vectors, and enforces a strong baseline for secure cloud access.