How to Disable Basic Authentication in Microsoft Entra ID Using Conditional Access

Introduction

Basic Authentication, often referred to as Legacy Authentication, is a simple but outdated method for accessing Microsoft 365 services. It uses basic username and password authentication mechanisms, making it a common target for cyberattacks like brute force and password spray attacks. With the widespread adoption of Modern Authentication, which offers advanced security features such as Multi-Factor Authentication (MFA), it’s essential to block Basic Authentication to secure your organization’s resources.

In this comprehensive guide, we’ll explore how to disable Basic Authentication using Conditional Access policies in Microsoft Entra ID (formerly Azure Active Directory). This step-by-step guide will help you protect your organization’s data while ensuring compliance with modern security practices.

Why Disable Basic Authentication?

Disabling Basic Authentication is crucial for the following reasons:

Enhanced Security: Basic Authentication does not support modern security standards like MFA, making it highly vulnerable to attacks.
Reduced Attack Surface: Blocking legacy protocols such as POP, IMAP, and SMTP reduces entry points for attackers.
Compliance: Many regulatory standards require the use of secure authentication mechanisms.

By disabling Basic Authentication, you can force users and applications to use Modern Authentication, which provides robust security capabilities.

Prerequisites

Before proceeding, ensure the following:

Modern Authentication is Enabled: Verify that Modern Authentication is enabled for your tenant. Most Microsoft 365 tenants have this enabled by default.
Audit Legacy Authentication Usage: Use Azure AD sign-in logs to identify users and applications still relying on Basic Authentication.
Client and Application Updates: Ensure that all client applications support Modern Authentication.

Step-by-Step Guide to Disable Basic Authentication

Step 1: Access the Microsoft Entra Admin Center

Go to the Microsoft Entra Admin Center.
Sign in with your administrator credentials.
Navigate to Protection > Conditional Access.

Step 2: Create a New Conditional Access Policy

Click + New policy to create a new policy.
Assign a descriptive name, such as “Block Legacy Authentication.”

Step 3: Configure Assignments

Users or Groups

Under Assignments, select Users and groups.
Choose All users to apply the policy to everyone or select specific groups if you want to roll it out incrementally.

Cloud Apps or Actions

Select Cloud apps or actions.
Choose All cloud apps to ensure all services are protected.

Conditions

Navigate to Conditions > Client apps.
Enable the toggle and select only Legacy Authentication clients.

Step 4: Set Access Controls

Under Access controls, select Block access.
Review your settings to confirm that Basic Authentication is effectively blocked.

Step 5: Enable and Test the Policy

Set the policy to On and click Create.
Test the policy with a pilot group before rolling it out organization-wide.

Additional Recommendations

Disable Basic Authentication Protocols

Although the Conditional Access policy blocks Basic Authentication for modern clients, you can further enhance security by disabling legacy protocols entirely:

Exchange Online PowerShell: Run the following commands to disable specific protocols: Set-CASMailbox -Identity "<UserMailbox>" -PopEnabled $false -ImapEnabled $false -MAPIEnabled $false -ActiveSyncEnabled $false
Microsoft 365 Admin Center:
- Navigate to Settings > Org settings > Modern Authentication.
- Disable legacy authentication protocols.

Monitor Sign-In Activity

Use the Azure AD (Entra ID) Sign-In logs to:

Identify attempts to use Basic Authentication.
Ensure the policy is functioning correctly.

Communicate with Users

Inform users and IT teams about the changes and potential impacts. Provide guidance on updating clients and applications to ensure a seamless transition.

Table: Comparison of Basic Authentication vs. Modern Authentication

Feature	Basic Authentication	Modern Authentication
Security	Low	High
Multi-Factor Authentication	Not Supported	Supported
Token-Based Authentication	Not Supported	Supported
Vulnerability to Attacks	High	Low

Conclusion

Disabling Basic Authentication in Microsoft Entra ID using Conditional Access policies is a critical step toward securing your organization’s data and reducing vulnerability to attacks. By blocking outdated authentication methods and enforcing Modern Authentication, you can ensure compliance with security best practices while maintaining seamless user experiences.

Medha Cloud specializes in Microsoft 365 and Windows Server management. If you need assistance with implementing Conditional Access policies or enhancing your organization’s security, contact Medha Cloud today for expert support.

Secure your Microsoft 365 environment now. Schedule a consultation with Medha Cloud.

Reach us at:

India: +91 93536 44646
US: +1 646 775 2855
Website: www.medhacloud.com
Email: info@medhacloud.com

Benjamin Gbolaru

I'm Benjamin, a Microsoft 365 Specialist, helping small and large businesses deploy, configure, and secure M365 environments to maximize the benefits of Microsoft tools. With sound expertise in driving cloud adoption, identity and access management (IAM), security monitoring, system reliability, and proactive troubleshooting.