KURAL.ai
Sarah Chen · MGA · UKGC · CA-ON-AGCO · BR-SPA
← Controls library

Legacy authentication must be blocked by Conditional Access

IDENTITY.ENTRA.CA.LEGACY_AUTH · GLOBAL · operational_security
Severity
high
Cadence
daily
Region
global
Current status (Apollo Gaming Ltd.)
not evaluated

Requirement

A Conditional Access policy must be enabled that blocks legacy authentication protocols (Exchange ActiveSync, IMAP4, POP3, SMTP AUTH, other) for all users. Legacy auth bypasses MFA and is the leading vector for credential-stuffing attacks on Microsoft 365.

Source: Microsoft Security baseline — disable legacy authentication

Remediation guidance

Create a Conditional Access policy targeting all users, all cloud apps, client app types = exchangeActiveSync + other → grant = block. Roll out in report-only mode for 7 days first to catch service accounts.

Evidence specification

Evidence typeConnectorSpecAcceptance criteria
infra_configidp-entra
{
  "query": "conditional_access_policies",
  "required_fields": [
    "id",
    "displayName",
    "state",
    "conditions",
    "grantControls"
  ]
}
  • at least one policy in state=enabled blocks legacy auth (grantControls.builtInControls includes 'block' for clientAppTypes 'exchangeActiveSync' + 'other')

Recent evaluations (Apollo Gaming Ltd.)

No evaluation history for this control yet.