4 thoughts on “Potential Change in Conditional Access Authentication

  1. smartass505 says:

    It looks like MS added a change to the roadmap to change Conditional Access to work/block before authentication occurs. I was having a few users getting locked out from around the world due to multiple attempts to access their accounts. This is a much welcomed improvement.

  2. teh_kyle says:

    FYI – you can do some of this now in Exchange directly. I don’t know if this is directly due to this, but this was something the Exchange team has been working on for some time.


    Announcement: [Disabling Basic authentication in Exchange Online – Public Preview Now Available](https://blogs.technet.microsoft.com/exchange/2018/10/17/disabling-basic-authentication-in-exchange-online-public-preview-now-available/)

    Technical info: [Disable Basic authentication in Exchange Online](https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online?redirectSourcePath=%252fen-us%252farticle%252fdisable-basic-authentication-in-exchange-online-bba2059a-7242-41d0-bb3f-baaf7ec1abd7)

    >”When it’s blocked, Basic authentication in Exchange Online is blocked at the first pre-authentication step (Step 1 in the previous diagrams) before the request reaches Azure Active Directory or the on-premises IdP. The benefit of this approach is brute force or password spray attacks won’t reach the IdP (which might trigger account lock-outs due to incorrect login attempts).”

    This shows the diagram of Exchange 401’ing the auth if using Basic before proxying over to Azure AD for auth.


Leave a Reply

Your email address will not be published. Required fields are marked *